Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-bepd-668e-13h8
Summary
Use of Insufficiently Random Values in Railties Allows Remote Code Execution
# Possible Remote Code Execution Exploit in Rails Development Mode

Impact 
------ 
With some knowledge of a target application it is possible for an attacker to  guess the automatically generated development mode secret token.  This secret  token can be used in combination with other Rails internals to escalate to a remote code execution exploit. 

All users running an affected release should either upgrade or use one of the workarounds immediately. 

Releases 
-------- 
The 6.0.0.beta3 and 5.2.2.1 releases are available at the normal locations. 

Workarounds 
----------- 
This issue can be mitigated by specifying a secret key in development mode. 
In "config/environments/development.rb" add this: 

```
  config.secret_key_base = SecureRandom.hex(64) 
```

Please note that only the 5.2.x, 5.1.x, 5.0.x, and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. 

Credits 
------- 
Thanks to ooooooo_q
Aliases
0
alias CVE-2019-5420
1
alias GHSA-m42h-mh85-4qgc
Fixed_packages
0
url pkg:deb/debian/rails@2:5.2.2.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:5.2.2.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:5.2.2.1%252Bdfsg-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
5
url pkg:gem/rails@5.2.2.1
purl pkg:gem/rails@5.2.2.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-42t7-kbeq-eqcm
1
vulnerability VCID-5t76-mwx9-8kc8
2
vulnerability VCID-6z21-pd9d-pfgk
3
vulnerability VCID-enf4-jrzh-nyac
4
vulnerability VCID-tjcm-cvtx-jbgt
5
vulnerability VCID-wm9p-z4n1-t7cs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.2.1
6
url pkg:gem/rails@6.0.0
purl pkg:gem/rails@6.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-25ru-4qks-7yf3
1
vulnerability VCID-42t7-kbeq-eqcm
2
vulnerability VCID-4w1v-z4zj-6ydp
3
vulnerability VCID-5t76-mwx9-8kc8
4
vulnerability VCID-6z21-pd9d-pfgk
5
vulnerability VCID-be5x-uyc6-sudm
6
vulnerability VCID-enf4-jrzh-nyac
7
vulnerability VCID-fgtd-zx7r-rygb
8
vulnerability VCID-tjcm-cvtx-jbgt
9
vulnerability VCID-uppk-66vw-gbb9
10
vulnerability VCID-wm9p-z4n1-t7cs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.0
7
url pkg:gem/railties@5.2.2.1
purl pkg:gem/railties@5.2.2.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/railties@5.2.2.1
8
url pkg:gem/railties@6.0.0
purl pkg:gem/railties@6.0.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/railties@6.0.0
Affected_packages
0
url pkg:gem/rails@5.2.1
purl pkg:gem/rails@5.2.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2q3z-t4mp-aqdx
1
vulnerability VCID-42t7-kbeq-eqcm
2
vulnerability VCID-5t76-mwx9-8kc8
3
vulnerability VCID-6z21-pd9d-pfgk
4
vulnerability VCID-bepd-668e-13h8
5
vulnerability VCID-enf4-jrzh-nyac
6
vulnerability VCID-hmy5-ekrx-1ucn
7
vulnerability VCID-q4zs-hq6a-ayf6
8
vulnerability VCID-tjcm-cvtx-jbgt
9
vulnerability VCID-wm9p-z4n1-t7cs
10
vulnerability VCID-xkt5-d1x6-nbdx
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.1
1
url pkg:gem/rails@5.2.1.rc1
purl pkg:gem/rails@5.2.1.rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2q3z-t4mp-aqdx
1
vulnerability VCID-42t7-kbeq-eqcm
2
vulnerability VCID-5t76-mwx9-8kc8
3
vulnerability VCID-6z21-pd9d-pfgk
4
vulnerability VCID-bepd-668e-13h8
5
vulnerability VCID-enf4-jrzh-nyac
6
vulnerability VCID-hmy5-ekrx-1ucn
7
vulnerability VCID-q4zs-hq6a-ayf6
8
vulnerability VCID-tjcm-cvtx-jbgt
9
vulnerability VCID-wm9p-z4n1-t7cs
10
vulnerability VCID-xkt5-d1x6-nbdx
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.1.rc1
2
url pkg:gem/rails@5.2.2
purl pkg:gem/rails@5.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-42t7-kbeq-eqcm
1
vulnerability VCID-5t76-mwx9-8kc8
2
vulnerability VCID-6z21-pd9d-pfgk
3
vulnerability VCID-bepd-668e-13h8
4
vulnerability VCID-enf4-jrzh-nyac
5
vulnerability VCID-hmy5-ekrx-1ucn
6
vulnerability VCID-q4zs-hq6a-ayf6
7
vulnerability VCID-tjcm-cvtx-jbgt
8
vulnerability VCID-wm9p-z4n1-t7cs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.2
3
url pkg:gem/rails@5.2.2.rc1
purl pkg:gem/rails@5.2.2.rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-42t7-kbeq-eqcm
1
vulnerability VCID-5t76-mwx9-8kc8
2
vulnerability VCID-6z21-pd9d-pfgk
3
vulnerability VCID-bepd-668e-13h8
4
vulnerability VCID-enf4-jrzh-nyac
5
vulnerability VCID-hmy5-ekrx-1ucn
6
vulnerability VCID-q4zs-hq6a-ayf6
7
vulnerability VCID-tjcm-cvtx-jbgt
8
vulnerability VCID-wm9p-z4n1-t7cs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.2.rc1
4
url pkg:gem/rails@6.0.0.beta2
purl pkg:gem/rails@6.0.0.beta2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bepd-668e-13h8
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.0.beta2
5
url pkg:gem/rails@6.0.0.beta3
purl pkg:gem/rails@6.0.0.beta3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bepd-668e-13h8
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.0.beta3
6
url pkg:gem/rails@5.2.0
purl pkg:gem/rails@5.2.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2q3z-t4mp-aqdx
1
vulnerability VCID-42t7-kbeq-eqcm
2
vulnerability VCID-5t76-mwx9-8kc8
3
vulnerability VCID-6k4p-91ka-juh5
4
vulnerability VCID-6z21-pd9d-pfgk
5
vulnerability VCID-bepd-668e-13h8
6
vulnerability VCID-enf4-jrzh-nyac
7
vulnerability VCID-hmy5-ekrx-1ucn
8
vulnerability VCID-q4zs-hq6a-ayf6
9
vulnerability VCID-tjcm-cvtx-jbgt
10
vulnerability VCID-wm9p-z4n1-t7cs
11
vulnerability VCID-xkt5-d1x6-nbdx
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.0
7
url pkg:gem/rails@5.2.1.1
purl pkg:gem/rails@5.2.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-42t7-kbeq-eqcm
1
vulnerability VCID-5t76-mwx9-8kc8
2
vulnerability VCID-6z21-pd9d-pfgk
3
vulnerability VCID-bepd-668e-13h8
4
vulnerability VCID-enf4-jrzh-nyac
5
vulnerability VCID-hmy5-ekrx-1ucn
6
vulnerability VCID-q4zs-hq6a-ayf6
7
vulnerability VCID-tjcm-cvtx-jbgt
8
vulnerability VCID-wm9p-z4n1-t7cs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.1.1
8
url pkg:gem/rails@6.0.0.beta1
purl pkg:gem/rails@6.0.0.beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bepd-668e-13h8
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.0.beta1
9
url pkg:gem/railties@5.2.0
purl pkg:gem/railties@5.2.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bepd-668e-13h8
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/railties@5.2.0
10
url pkg:gem/railties@5.2.1
purl pkg:gem/railties@5.2.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bepd-668e-13h8
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/railties@5.2.1
11
url pkg:gem/railties@5.2.1.1
purl pkg:gem/railties@5.2.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bepd-668e-13h8
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/railties@5.2.1.1
12
url pkg:gem/railties@5.2.1.rc1
purl pkg:gem/railties@5.2.1.rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bepd-668e-13h8
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/railties@5.2.1.rc1
13
url pkg:gem/railties@5.2.2
purl pkg:gem/railties@5.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bepd-668e-13h8
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/railties@5.2.2
14
url pkg:gem/railties@5.2.2.0
purl pkg:gem/railties@5.2.2.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bepd-668e-13h8
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/railties@5.2.2.0
15
url pkg:gem/railties@5.2.2.rc1
purl pkg:gem/railties@5.2.2.rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bepd-668e-13h8
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/railties@5.2.2.rc1
16
url pkg:gem/railties@6.0.0.beta1
purl pkg:gem/railties@6.0.0.beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bepd-668e-13h8
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/railties@6.0.0.beta1
17
url pkg:gem/railties@6.0.0.beta2
purl pkg:gem/railties@6.0.0.beta2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bepd-668e-13h8
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/railties@6.0.0.beta2
18
url pkg:gem/railties@6.0.0.beta3
purl pkg:gem/railties@6.0.0.beta3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bepd-668e-13h8
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/railties@6.0.0.beta3
References
0
reference_url http://packetstormsecurity.com/files/152704/Ruby-On-Rails-DoubleTap-Development-Mode-secret_key_base-Remote-Code-Execution.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://packetstormsecurity.com/files/152704/Ruby-On-Rails-DoubleTap-Development-Mode-secret_key_base-Remote-Code-Execution.html
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-5420.json
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-5420.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-5420
reference_id
reference_type
scores
0
value 0.93745
scoring_system epss
scoring_elements 0.9986
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-5420
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5420
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5420
4
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/railties/CVE-2019-5420.yml
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/railties/CVE-2019-5420.yml
6
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/IsQKvDqZdKw
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements
1
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/IsQKvDqZdKw
7
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-5420
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-5420
10
reference_url https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released
11
reference_url https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/
reference_id
reference_type
scores
url https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/
12
reference_url https://www.exploit-db.com/exploits/46785
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.exploit-db.com/exploits/46785
13
reference_url https://www.exploit-db.com/exploits/46785/
reference_id
reference_type
scores
url https://www.exploit-db.com/exploits/46785/
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1689154
reference_id 1689154
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1689154
15
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924521
reference_id 924521
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924521
16
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/remote/46785.rb
reference_id CVE-2019-5420
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/remote/46785.rb
17
reference_url https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/rails_double_tap.rb
reference_id CVE-2019-5420
reference_type exploit
scores
url https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/rails_double_tap.rb
18
reference_url https://github.com/advisories/GHSA-m42h-mh85-4qgc
reference_id GHSA-m42h-mh85-4qgc
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m42h-mh85-4qgc
Weaknesses
0
cwe_id 330
name Use of Insufficiently Random Values
description The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
1
cwe_id 77
name Improper Neutralization of Special Elements used in a Command ('Command Injection')
description The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
2
cwe_id 338
name Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
description The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
3
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
4
cwe_id 20
name Improper Input Validation
description The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
5
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
Exploits
0
date_added 2019-05-02
description Ruby On Rails - DoubleTap Development Mode secret_key_base Remote Code Execution (Metasploit)
required_action null
due_date null
notes null
known_ransomware_campaign_use true
source_date_published 2019-05-02
exploit_type remote
platform linux
source_date_updated 2019-05-02
data_source Exploit-DB
source_url https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/rails_double_tap.rb
1
date_added null
description 
This module exploits a vulnerability in Ruby on Rails. In development mode, a Rails
          application would use its name as the secret_key_base, and can be easily extracted by
          visiting an invalid resource for a path. As a result, this allows a remote user to
          create and deliver a signed serialized payload, load it by the application, and gain
          remote code execution.
required_action null
due_date null
notes 
AKA:
  - doubletap
Stability:
  - crash-safe
SideEffects:
  - ioc-in-logs
Reliability:
  - unknown-reliability
known_ransomware_campaign_use false
source_date_published 2019-03-13
exploit_type null
platform Linux
source_date_updated null
data_source Metasploit
source_url https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/multi/http/rails_double_tap.rb
Severity_range_score8.1 - 10.0
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-bepd-668e-13h8