Search for packages
| purl | pkg:deb/debian/rails@0?distro=trixie |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1xgz-hwng-n3eq | Untrusted users can run pending migrations in production in Rails There is a vulnerability in versions of Rails prior to 6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production. This vulnerability has been assigned the CVE identifier CVE-2020-8185. Versions Affected: 6.0.0 < rails < 6.0.3.2 Not affected: Applications with `config.action_dispatch.show_exceptions = false` (this is not a default setting in production) Fixed Versions: rails >= 6.0.3.2 Impact ------ Using this issue, an attacker would be able to execute any migrations that are pending for a Rails app running in production mode. It is important to note that an attacker is limited to running migrations the application developer has already defined in their application and ones that have not already run. Workarounds ----------- Until such time as the patch can be applied, application developers should disable the ActionDispatch middleware in their production environment via a line such as this one in their config/environment/production.rb: `config.middleware.delete ActionDispatch::ActionableExceptions` |
CVE-2020-8185
GHSA-c6qr-h5vq-59jc |
| VCID-5bh7-drnb-7ygg | Rails has possible XSS Vulnerability in Action Controller # Possible XSS Vulnerability in Action Controller There is a possible XSS vulnerability when using the translation helpers (`translate`, `t`, etc) in Action Controller. This vulnerability has been assigned the CVE identifier CVE-2024-26143. Versions Affected: >= 7.0.0. Not affected: < 7.0.0 Fixed Versions: 7.1.3.1, 7.0.8.1 Impact ------ Applications using translation methods like `translate`, or `t` on a controller, with a key ending in "_html", a `:default` key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. For example, impacted code will look something like this: ```ruby class ArticlesController < ApplicationController def show @message = t("message_html", default: untrusted_input) # The `show` template displays the contents of `@message` end end ``` To reiterate the pre-conditions, applications must: * Use a translation function from a controller (i.e. _not_ I18n.t, or `t` from a view) * Use a key that ends in `_html` * Use a default value where the default value is untrusted and unescaped input * Send the text to the victim (whether that's part of a template, or a `render` call) All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- There are no feasible workarounds for this issue. Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 7-0-translate-xss.patch - Patch for 7.0 series * 7-1-translate-xss.patch - Patch for 7.1 series Credits ------- Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for the patch and fix! |
CVE-2024-26143
GHSA-9822-6m93-xqf4 |
| VCID-5hqj-fxmk-cbcy | XSS Vulnerability in number_to_currency The number_to_currency helper allows users to nicely format a numeric value. The unit parameter is not escaped correctly. Application which pass user controlled data as the unit parameter are vulnerable to an XSS attack. |
CVE-2013-6415
GHSA-6h5q-96hp-9jgm OSV-100524 |
| VCID-65tq-e5eb-eucj | Rails has possible Sensitive Session Information Leak in Active Storage # Possible Sensitive Session Information Leak in Active Storage There is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a `Set-Cookie` header along with the user's session cookie when serving blobs. It also sets `Cache-Control` to public. Certain proxies may cache the Set-Cookie, leading to an information leak. This vulnerability has been assigned the CVE identifier CVE-2024-26144. Versions Affected: >= 5.2.0, < 7.1.0 Not affected: < 5.2.0, > 7.1.0 Fixed Versions: 7.0.8.1, 6.1.7.7 Impact ------ A proxy which chooses to caches this request can cause users to share sessions. This may include a user receiving an attacker's session or vice versa. This was patched in 7.1.0 but not previously identified as a security vulnerability. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Upgrade to Rails 7.1.X, or configure caching proxies not to cache the Set-Cookie headers. Credits ------- Thanks to [tyage](https://hackerone.com/tyage) for reporting this! |
CVE-2024-26144
GHSA-8h22-8cf7-hq6g |
| VCID-6j55-bstz-yybj | High severity vulnerability that affects actionpack actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.4, when a case-insensitive filesystem is used, does not properly implement filters associated with the list of available templates, which allows remote attackers to bypass intended access restrictions via an action name that uses an unintended case for alphabetic characters. |
CVE-2011-0449
GHSA-4ww3-3rxj-8v6q |
| VCID-6tty-dbwx-rbgx | Duplicate This advisory duplicates another. |
CVE-2023-22797
GHSA-9445-4cr6-336r GMS-2023-57 |
| VCID-awt1-8bxs-xffs | actionpack Improper Authentication vulnerability The `decode_credentials` method in `actionpack/lib/action_controller/metal/http_authentication.rb` in Ruby on Rails before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a `with_http_digest` helper method, as demonstrated by the `authenticate_or_request_with_http_digest` method. |
CVE-2012-3424
GHSA-92w9-2pqw-rhjj OSV-84243 |
| VCID-c1w4-z275-tqg7 | Ruby on Rails Potential XSS Vulnerability in select_tag prompt When a value for the `prompt` field is supplied to the `select_tag` helper, the value is not escaped. If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks. |
CVE-2012-3463
GHSA-98mf-8f57-64qf OSV-84515 |
| VCID-e3j5-xgbr-2qa1 | Possible DoS Vulnerability A carefully crafted email address in conjunction with the Action Mailer logger format string could take advantage of a bug in Ruby's sprintf implementation and possibly lead to a denial of service attack. Impacted Ruby code will look something like this: `"some string #{user_input}" % some_number` |
CVE-2013-4389
GHSA-rg5m-3fqp-6px8 OSV-98629 |
| VCID-ehbj-aezy-d7h4 | Rails has possible ReDoS vulnerability in Accept header parsing in Action Dispatch # Possible ReDoS vulnerability in Accept header parsing in Action Dispatch There is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-26142. Versions Affected: >= 7.1.0, < 7.1.3.1 Not affected: < 7.1.0 Fixed Versions: 7.1.3.1 Impact ------ Carefully crafted Accept headers can cause Accept header parsing in Action Dispatch to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or use one of the workarounds immediately. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- There are no feasible workarounds for this issue. Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 7-1-accept-redox.patch - Patch for 7.1 series Credits ------- Thanks [svalkanov](https://hackerone.com/svalkanov) for the report and patch! |
CVE-2024-26142
GHSA-jjhx-jhvp-74wq |
| VCID-h94p-ywve-y7h9 | XSS Vulnerability in simple_format helper The simple_format helper converts user supplied text into html text which is intended to be safe for display. A change made to the implementation of this helper means that any user provided HTML attributes will not be escaped correctly. As a result of this error, applications which pass user-controlled data to be included as html attributes will be vulnerable to an XSS attack. |
CVE-2013-6416
GHSA-w37c-q653-qg95 OSV-100526 |
| VCID-hmp2-rmzv-wkhg | Improper Input Validation The template selection functionality in actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob characters, which allows remote attackers to render arbitrary views via a crafted URL, related to a "filter skipping vulnerability." |
CVE-2011-2929
GHSA-r7q2-5gqg-6c7q |
| VCID-j24x-nhsb-yug6 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method. |
CVE-2011-2197
GHSA-v9v4-7jp6-8c73 |
| VCID-j8zg-kq3z-jqcm | Improper Input Validation Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs. |
CVE-2010-3933
GHSA-gjxw-5w2q-7grf |
| VCID-kcj2-v7av-47cv | Reflective XSS Vulnerability There is a vulnerability in the internationalisation component of Ruby on Rails. When the i18n gem is unable to provide a translation for a given string, it creates a fallback HTML string. Under certain common configurations this string can contain user input which would allow an attacker to execute a reflective XSS attack. |
CVE-2013-4491
GHSA-699m-mcjm-9cw8 OSV-100528 |
| VCID-msda-xqbp-qfdd | Possible Open Redirect Vulnerability in Action Pack There is a possible Open Redirect Vulnerability in Action Pack. Versions Affected: >= v6.1.0.rc2 Not affected: < v6.1.0.rc2 Fixed Versions: 6.1.3.2 Impact ------ This is similar to CVE-2021-22881. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Since rails/rails@9bc7ea5, strings in config.hosts that do not have a leading dot are converted to regular expressions without proper escaping. This causes, for example, config.hosts << "sub.example.com" to permit a request with a Host header value of sub-example.com. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- The following monkey patch put in an initializer can be used as a workaround. ```ruby class ActionDispatch::HostAuthorization::Permissions def sanitize_string(host) if host.start_with?(".") /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i else /\A#{Regexp.escape host}\z/i end end end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 6-1-open-redirect.patch - Patch for 6.1 series Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks Jonathan Hefner (https://hackerone.com/jonathanhefner) for reporting this bug! |
CVE-2021-22903
GHSA-5hq2-xf89-9jxq |
| VCID-n5fx-u6fs-vydu | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving \ (backslash) characters that are not properly handled in operations on array columns. |
CVE-2014-0080
GHSA-hqf9-rc9j-5fmj OSV-103438 |
| VCID-nf8s-2aaa-17fw | Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk) Due to the way that `Rack::Request` and `Rails::Request` interact, it is possible for a 3rd party or custom rack middleware to parse the parameters insecurely and store them in the same key that Rails uses for its own parameters. In the event that happens the application will receive unsafe parameters and could be vulnerable to the earlier vulnerability: it would be possible for an attacker to issue unexpected database queries with `IS NULL` or empty where clauses. |
CVE-2013-6417
GHSA-wpw7-wxjm-cw8r OSV-100527 |
| VCID-p22r-u1dd-b7b3 | Missing security headers in Action Pack on non-HTML responses # Permissions-Policy is Only Served on HTML Content-Type The application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This has been assigned the CVE identifier CVE-2024-28103. Versions Affected: >= 6.1.0 Not affected: < 6.1.0 Fixed Versions: 6.1.7.8, 7.0.8.4, and 7.1.3.4 Impact ------ Responses with a non-HTML Content-Type are not serving the configured Permissions-Policy. There are certain non-HTML Content-Types that would benefit from having the Permissions-Policy enforced. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- N/A Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the supported release series in accordance with our [maintenance policy](https://guides.rubyonrails.org/maintenance_policy.html#security-issues) regarding security issues. They are in git-am format and consist of a single changeset. * 6-1-include-permissions-policy-header-on-non-html.patch - Patch for 6.1 series * 7-0-include-permissions-policy-header-on-non-html.patch - Patch for 7.0 series * 7-1-include-permissions-policy-header-on-non-html.patch - Patch for 7.1 series Credits ------- Thank you [shinkbr](https://hackerone.com/shinkbr) for reporting this! |
CVE-2024-28103
GHSA-fwhr-88qx-h9g7 |
| VCID-pd5s-1xsg-f7a5 | Rails has a possible XSS vulnerability in its Action Pack debug exceptions ### Impact The debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to XSS. This affects applications with detailed exception pages enabled (`config.consider_all_requests_local = true`), which is the default in development. ### Releases The fixed releases are available at the normal locations. |
CVE-2026-33167
GHSA-pgm4-439c-5jp6 |
| VCID-pmrb-t3bm-zkb6 | Denial of Service Vulnerability in Action View There is a denial of service vulnerability in the header handling component of Action View. Strings sent in specially crafted headers will be cached indefinitely. This can cause the cache to grow infinitely, which will eventually consume all memory on the target machine, causing a denial of service. |
CVE-2013-6414
GHSA-mpxf-gcw2-pw5q OSV-100525 |
| VCID-rps2-k24p-9qgq | Translate helper method which may allow an attacker to insert arbitrary code into a page The helper method for i18n translations has a convention whereby translations strings with a name ending in 'html' are considered HTML safe. There is also a mechanism for interpolation. It has been discovered that these 'html' strings allow arbitrary values to be contained in the interpolated input, and these values are not escaped. |
CVE-2011-4319
GHSA-xxr8-833v-c7wc OSV-77199 |
| VCID-rq7w-zmh4-17e1 | SQL injection vulnerability in Active Record Due to the way Active Record handles nested query parameters, an attacker can use a specially crafted request to inject some forms of SQL into your application's SQL queries. |
CVE-2012-2661
GHSA-fh39-v733-mxfr OSV-82403 |
| VCID-rqfj-8y7h-eqgm | ActionText ContentAttachment can Contain Unsanitized HTML Instances of ActionText::Attachable::ContentAttachment included within a rich_text_area tag could potentially contain unsanitized HTML. This has been assigned the CVE identifier CVE-2024-32464. Versions Affected: >= 7.1.0 Not affected: < 7.1.0 Fixed Versions: 7.1.3.4 Impact ------ This could lead to a potential cross site scripting issue within the Trix editor. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- N/A Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the supported release series in accordance with our [maintenance policy](https://guides.rubyonrails.org/maintenance_policy.html#security-issues) regarding security issues. They are in git-am format and consist of a single changeset. * action_text_content_attachment_xss_7_1_stable.patch - Patch for 7.1 series Credits ------- Thank you [ooooooo_q](https://hackerone.com/ooooooo_q) for reporting this! |
CVE-2024-32464
GHSA-prjp-h48f-jgf6 |
| VCID-up42-s1t8-eqa1 | Information disclosure issue in Active Resource There is a possible information disclosure issue in Active Resource <v5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information. |
CVE-2020-8151
GHSA-46j2-xjgp-jrfm |
| VCID-uudj-r63z-kban | XML Parsing Vulnerability affecting JRuby users There is a vulnerability in the JDOM backend to ActiveSupport's XML parser. you should upgrade or use one of the work arounds immediately. |
CVE-2013-1856
GHSA-9c2j-593q-3g82 OSV-91451 |
| VCID-xxbb-7e3n-9yb3 | Cross site scripting in actionpack Rubygem A cross-site scripting vulnerability flaw was found in the `auto_link` function in Rails before version 3.0.6. |
CVE-2011-1497
GHSA-q58j-fmvf-9rq6 |
| VCID-y54w-a8kr-suhy | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument. |
CVE-2011-0448
GHSA-jmm9-2p29-vh2w |