Search for packages
| purl | pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie |
| Next non-vulnerable version | 2:7.2.2.1+dfsg-1 |
| Latest non-vulnerable version | 2:7.2.3.1+dfsg-1 |
| Risk |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-4tzv-1t1b-t3g3
Aliases: CVE-2026-33169 GHSA-cg4j-q9v8-6v38 |
Rails Active Support has a possible ReDoS vulnerability in number_to_delimited ### Impact `NumberToDelimitedConverter` used a regular expression with `gsub!` to insert thousands delimiters. This could produce quadratic time complexity on long digit strings. ### Releases The fixed releases are available at the normal locations. |
Affected by 0 other vulnerabilities. |
|
VCID-5tky-d2en-u7c7
Aliases: CVE-2026-33170 GHSA-89vf-4333-qx8v |
Rails Active Support has a possible XSS vulnerability in SafeBuffer#% ### Impact `SafeBuffer#%` does not propagate the `@html_unsafe` flag to the newly created buffer. If a `SafeBuffer` is mutated in place (e.g. via `gsub!`) and then formatted with `%` using untrusted arguments, the result incorrectly reports `html_safe? == true`, bypassing ERB auto-escaping and possibly leading to XSS. ### Releases The fixed releases are available at the normal locations. |
Affected by 0 other vulnerabilities. |
|
VCID-96qr-hdbp-p7ff
Aliases: CVE-2026-33168 GHSA-v55j-83pf-r9cq |
Rails has a possible XSS vulnerability in its Action View tag helpers ### Impact When a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected. ### Releases The fixed releases are available at the normal locations. |
Affected by 0 other vulnerabilities. |
|
VCID-a6z9-5n6k-2kak
Aliases: CVE-2026-33173 GHSA-qcfx-2mfw-w4cg |
Rails Active Storage has possible content type bypass via metadata in direct uploads ### Impact Active Storage's `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like `identified` and `analyzed` are stored in the same metadata hash, a malicious direct-upload client could set these flags. ### Releases The fixed releases are available at the normal locations. |
Affected by 0 other vulnerabilities. |
|
VCID-ad6q-vtdf-syb6
Aliases: CVE-2026-33658 GHSA-p9fm-f462-ggrg |
Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests ### Impact Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability. ### Releases The fixed releases are available at the normal locations. |
Affected by 0 other vulnerabilities. |
|
VCID-hatd-vkun-13hj
Aliases: CVE-2026-33202 GHSA-73f9-jhhh-hr5m |
Rails Active Storage has possible glob injection in its DiskService ### Impact Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory. ### Releases The fixed releases are available at the normal locations. |
Affected by 0 other vulnerabilities. |
|
VCID-qxe4-dubt-1kfp
Aliases: CVE-2026-33174 GHSA-r46p-8f7g-vvvg |
Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests ### Impact When serving files through Active Storage's `Blobs::ProxyController`, the controller loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header (e.g. `bytes=0-`) could cause the server to allocate memory proportional to the file size, possibly resulting in a DoS vulnerability through memory exhaustion. ### Releases The fixed releases are available at the normal locations. |
Affected by 0 other vulnerabilities. |
|
VCID-sarm-n22v-akcm
Aliases: CVE-2026-33176 GHSA-2j26-frm8-cmj9 |
Rails Active Support has a possible DoS vulnerability in its number helpers ### Impact Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`), which when converted to a string could be expanded into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability. ### Releases The fixed releases are available at the normal locations. |
Affected by 0 other vulnerabilities. |
|
VCID-wpmk-wgpm-cuee
Aliases: CVE-2026-33195 GHSA-9xrj-h377-fr87 |
Rails Active Storage has possible Path Traversal in DiskService ### Impact Active Storage's `DiskService#path_for` does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences (e.g. `../`) is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are expected to be trusted strings, but some applications could be passing user input as keys and would be affected. ### Releases The fixed releases are available at the normal locations. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-12x8-jxdf-jqdz | Actionpack Open Redirect Vulnerability The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted `Host` headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. |
CVE-2021-22881
GHSA-8877-prq4-9xfw |
| VCID-19fr-55kr-hyax | rails-ujs vulnerable to DOM Based Cross-site Scripting contenteditable HTML Elements NOTE: rails-ujs is part of Rails/actionview since 5.1.0. There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML content from the clipboard that includes a data-method, data-remote or data-disable-with attribute. This vulnerability has been assigned the CVE identifier CVE-2023-23913. Not affected: < 5.1.0 Versions Affected: >= 5.1.0 Fixed Versions: 6.1.7.3, 7.0.4.3 Impact If the specified malicious HTML clipboard content is provided to a contenteditable element, this could result in the arbitrary execution of javascript on the origin in question. Releases The FIXED releases are available at the normal locations. Workarounds We recommend that all users upgrade to one of the FIXED versions. In the meantime, users can attempt to mitigate this vulnerability by removing the contenteditable attribute from elements in pages that rails-ujs will interact with. Patches To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * rails-ujs-data-method-contenteditable-6-1.patch - Patch for 6.1 series * rails-ujs-data-method-contenteditable-7-0.patch - Patch for 7.0 series Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits We would like to thank ryotak 15 for reporting this! * rails-ujs-data-method-contenteditable-6-1.patch (8.5 KB) * rails-ujs-data-method-contenteditable-7-0.patch (8.5 KB) * rails-ujs-data-method-contenteditable-main.patch (8.9 KB) |
CVE-2023-23913
GHSA-xp5h-f8jf-rc8q |
| VCID-1bxs-yghe-cyck | URL Redirection to Untrusted Site ('Open Redirect') A possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0 that could allow attackers to redirect users to a malicious website. |
CVE-2021-22942
GHSA-2rqw-v265-jf8c |
| VCID-1rgy-k7a9-m7au | XSS via posted select tag options Ruby on Rails is vulnerable to remote cross-site scripting because the application does not validate manually generated `select tag options` upon submission to `actionpack/lib/action_view/helpers/form_options_helper.rb`. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. |
CVE-2012-1099
GHSA-2xjj-5x6h-8vmf OSV-79727 |
| VCID-1rxp-g9rz-4yb3 | Possible XSS Security Vulnerability in SafeBuffer#bytesplice There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input. This vulnerability has been assigned the CVE identifier CVE-2023-28120. Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3 # Impact ActiveSupport uses the SafeBuffer string subclass to tag strings as html_safe after they have been sanitized. When these strings are mutated, the tag is should be removed to mark them as no longer being html_safe. Ruby 3.2 introduced a new bytesplice method which ActiveSupport does not yet understand to be a mutation. Users on older versions of Ruby are likely unaffected. All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately. # Workarounds Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input. |
CVE-2023-28120
GHSA-pj73-v5mw-pm9j GMS-2023-765 |
| VCID-1x8k-t8mr-3fgp | URL Redirection to Untrusted Site ('Open Redirect') A open redirect vulnerability exists in Action Pack >= 6.0.0 that could allow an attacker to craft a "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. |
CVE-2021-44528
GHSA-qphc-hf5q-v8fc |
| VCID-1xgz-hwng-n3eq | Untrusted users can run pending migrations in production in Rails There is a vulnerability in versions of Rails prior to 6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production. This vulnerability has been assigned the CVE identifier CVE-2020-8185. Versions Affected: 6.0.0 < rails < 6.0.3.2 Not affected: Applications with `config.action_dispatch.show_exceptions = false` (this is not a default setting in production) Fixed Versions: rails >= 6.0.3.2 Impact ------ Using this issue, an attacker would be able to execute any migrations that are pending for a Rails app running in production mode. It is important to note that an attacker is limited to running migrations the application developer has already defined in their application and ones that have not already run. Workarounds ----------- Until such time as the patch can be applied, application developers should disable the ActionDispatch middleware in their production environment via a line such as this one in their config/environment/production.rb: `config.middleware.delete ActionDispatch::ActionableExceptions` |
CVE-2020-8185
GHSA-c6qr-h5vq-59jc |
| VCID-2efj-tf8d-dfck | Strong Parameter bypass with create_with The `create_with` functionality in Active Record was implemented incorrectly and completely bypasses the strong parameter protection. |
CVE-2014-3514
GHSA-9rf5-jm6f-2fmm |
| VCID-2mcx-b9k2-83bh | Ruby on Rails vulnerable to code injection Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with "severe" or "serious" impact via a File Upload request with an HTTP header that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112. |
CVE-2006-4111
GHSA-rvpq-5xqx-pfpp |
| VCID-31xv-z8c6-a7bg | XSS in Action View There is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. ### Impact When an HTML-unsafe string is passed as the default for a missing translation key [named `html` or ending in `_html`](https://guides.rubyonrails.org/i18n.html#using-safe-html-translations), the default string is incorrectly marked as HTML-safe and not escaped. Vulnerable code may look like the following examples: ```erb <%# The welcome_html translation is not defined for the current locale: %> <%= t("welcome_html", default: untrusted_user_controlled_string) %> <%# Neither the title.html translation nor the missing.html translation is defined for the current locale: %> <%= t("title.html", default: [:"missing.html", untrusted_user_controlled_string]) %> ``` ### Patches Patched Rails versions, 6.0.3.3 and 5.2.4.4, are available from the normal locations. The patches have also been applied to the `master`, `6-0-stable`, and `5-2-stable` branches on GitHub. If you track any of these branches, you should update to the latest. To aid users who aren’t able to upgrade immediately, we’ve provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * [5-2-translate-helper-xss.patch](https://gist.github.com/georgeclaghorn/a466e103922ee81f24c32c9034089442#file-5-2-translate-helper-xss-patch) — patch for the 5.2 release series * [6-0-translate-helper-xss.patch](https://gist.github.com/georgeclaghorn/a466e103922ee81f24c32c9034089442#file-6-0-translate-helper-xss-patch) — patch for the 6.0 release series Please note that only the 5.2 and 6.0 release series are currently supported. Users of earlier, unsupported releases are advised to update as soon as possible, as we cannot provide security fixes for unsupported releases. ### Workarounds Impacted users who can’t upgrade to a patched Rails version can avoid this issue by manually escaping default translations with the `html_escape` helper (aliased as `h`): ```erb <%= t("welcome_html", default: h(untrusted_user_controlled_string)) %> ``` |
CVE-2020-15169
GHSA-cfjv-5498-mph5 |
| VCID-333w-aacz-mfcr | Arbitrary file existence disclosure Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application's root directory. The files will not be served, but attackers can determine whether the file exists. This only impacts Rails applications that enable static file serving at runtime. For example, the application's production configuration will say: `config.serve_static_assets = true` |
CVE-2014-7829
GHSA-h56m-vwxc-3qpw |
| VCID-3hur-esmy-x3hr | Possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text There is a possible ReDoS vulnerability in the plain_text_for_blockquote_node helper in Action Text. This vulnerability has been assigned the CVE identifier CVE-2024-47888. Impact ------ Carefully crafted text can cause the plain_text_for_blockquote_node helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Users can avoid calling `plain_text_for_blockquote_node` or upgrade to Ruby 3.2 Credits ------- Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for the report! |
CVE-2024-47888
GHSA-wwhv-wxv9-rpgw |
| VCID-3m2y-wy1w-n7h1 | SQL Injection Vulnerabilities Affecting PostgreSQL SQLi vulnerability in activerecord. |
CVE-2014-3483
GHSA-r8fh-hq2p-7qhq OSV-108665 |
| VCID-3wtf-uu89-2qe5 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper. |
CVE-2014-0081
GHSA-m46p-ggm5-5j83 OSV-103439 |
| VCID-3zdr-vasc-a7cn | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper. |
CVE-2009-3009
GHSA-8qrh-h9m2-5fvf OSV-57666 |
| VCID-43f3-rxwm-fkgv | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability." |
CVE-2011-2932
GHSA-9fh3-vh3h-q4g3 |
| VCID-49pq-vg95-jkh2 | Cross-Site Request Forgery (CSRF) Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage "combinations of browser plugins and HTTP redirects," a related issue to CVE-2011-0696. |
CVE-2011-0447
GHSA-24fg-p96v-hxh8 |
| VCID-4cky-r218-dkbb | activerecord vulnerable to SQL Injection Multiple SQL injection vulnerabilities in the `quote_table_name` method in the ActiveRecord adapters in `activerecord/lib/active_record/connection_adapters/` in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name. |
CVE-2011-2930
GHSA-h6w6-xmqv-7q78 |
| VCID-4epw-vk25-mfdw | XSS vulnerability in sanitize_css in Action Pack Carefully crafted text can bypass the sanitization provided in the `sanitize_css` method in Action Pack. |
CVE-2013-1855
GHSA-q759-hwvc-m3jg OSV-91452 |
| VCID-4he5-y1u4-gkd2 | XSS Vulnerability in the `sanitize` helper The `sanitize` helper in Ruby on Rails is designed to filter HTML and remove all tags and attributes which could be malicious. |
CVE-2013-1857
GHSA-j838-vfpq-fmf2 OSV-91454 |
| VCID-4zhj-en7h-3yaz | Improper Authentication The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password. |
CVE-2009-2422
GHSA-rxq3-gm4p-5fj4 |
| VCID-5bh7-drnb-7ygg | Rails has possible XSS Vulnerability in Action Controller # Possible XSS Vulnerability in Action Controller There is a possible XSS vulnerability when using the translation helpers (`translate`, `t`, etc) in Action Controller. This vulnerability has been assigned the CVE identifier CVE-2024-26143. Versions Affected: >= 7.0.0. Not affected: < 7.0.0 Fixed Versions: 7.1.3.1, 7.0.8.1 Impact ------ Applications using translation methods like `translate`, or `t` on a controller, with a key ending in "_html", a `:default` key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. For example, impacted code will look something like this: ```ruby class ArticlesController < ApplicationController def show @message = t("message_html", default: untrusted_input) # The `show` template displays the contents of `@message` end end ``` To reiterate the pre-conditions, applications must: * Use a translation function from a controller (i.e. _not_ I18n.t, or `t` from a view) * Use a key that ends in `_html` * Use a default value where the default value is untrusted and unescaped input * Send the text to the victim (whether that's part of a template, or a `render` call) All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- There are no feasible workarounds for this issue. Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 7-0-translate-xss.patch - Patch for 7.0 series * 7-1-translate-xss.patch - Patch for 7.1 series Credits ------- Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for the patch and fix! |
CVE-2024-26143
GHSA-9822-6m93-xqf4 |
| VCID-5hqj-fxmk-cbcy | XSS Vulnerability in number_to_currency The number_to_currency helper allows users to nicely format a numeric value. The unit parameter is not escaped correctly. Application which pass user controlled data as the unit parameter are vulnerable to an XSS attack. |
CVE-2013-6415
GHSA-6h5q-96hp-9jgm OSV-100524 |
| VCID-5qu2-b8gt-7qe3 | Active Record subject to Regular Expression Denial-of-Service (ReDoS) The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input. |
CVE-2021-22880
GHSA-8hc4-xxm3-5ppp |
| VCID-5x54-hckg-x7b8 | Exposure of Sensitive Information to an Unauthorized Actor A bypass vulnerability in Active Storage for Google Cloud Storage and Disk services allow an attacker to modify the `content-disposition` and `content-type` parameters which can be used in with HTML files and have them executed inline. Additionally, if combined with other techniques such as cookie bombing and specially crafted AppCache manifests, an attacker can gain access to private signed URLs within a specific storage path. This vulnerability has been fixed |
CVE-2018-16477
GHSA-7rr7-rcjw-56vj |
| VCID-63gy-6njy-kbd8 | ReDoS based DoS vulnerability in Action Dispatch There is a possible regular expression based DoS vulnerability in Action Dispatch. Specially crafted cookies, in combination with a specially crafted `X_FORWARDED_HOST` header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. |
CVE-2023-22792
GHSA-p84v-45xj-wwqj GMS-2023-58 |
| VCID-65tq-e5eb-eucj | Rails has possible Sensitive Session Information Leak in Active Storage # Possible Sensitive Session Information Leak in Active Storage There is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a `Set-Cookie` header along with the user's session cookie when serving blobs. It also sets `Cache-Control` to public. Certain proxies may cache the Set-Cookie, leading to an information leak. This vulnerability has been assigned the CVE identifier CVE-2024-26144. Versions Affected: >= 5.2.0, < 7.1.0 Not affected: < 5.2.0, > 7.1.0 Fixed Versions: 7.0.8.1, 6.1.7.7 Impact ------ A proxy which chooses to caches this request can cause users to share sessions. This may include a user receiving an attacker's session or vice versa. This was patched in 7.1.0 but not previously identified as a security vulnerability. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Upgrade to Rails 7.1.X, or configure caching proxies not to cache the Set-Cookie headers. Credits ------- Thanks to [tyage](https://hackerone.com/tyage) for reporting this! |
CVE-2024-26144
GHSA-8h22-8cf7-hq6g |
| VCID-6j55-bstz-yybj | High severity vulnerability that affects actionpack actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.4, when a case-insensitive filesystem is used, does not properly implement filters associated with the list of available templates, which allows remote attackers to bypass intended access restrictions via an action name that uses an unintended case for alphabetic characters. |
CVE-2011-0449
GHSA-4ww3-3rxj-8v6q |
| VCID-6ku5-mtgz-zygw | Duplicate This advisory duplicates another. |
CVE-2023-22796
GHSA-j6gc-792m-qgm2 GMS-2023-61 |
| VCID-6pxd-xsaw-tuer | Active Support Possibly Discloses Locally Encrypted Files There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037. Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5 |
CVE-2023-38037
GHSA-cr5q-6q9f-rq6q |
| VCID-6tty-dbwx-rbgx | Duplicate This advisory duplicates another. |
CVE-2023-22797
GHSA-9445-4cr6-336r GMS-2023-57 |
| VCID-6yr6-a21g-dyf5 | Deserialization of Untrusted Data A Broken Access Control vulnerability in Active Job |
CVE-2018-16476
GHSA-q2qw-rmrh-vv42 |
| VCID-7f5r-9h1g-nuch | Exposure of Sensitive Information to an Unauthorized Actor A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts. |
CVE-2009-3086
GHSA-fg9w-g6m4-557j |
| VCID-86jq-2md2-d7ah | Possible XSS Vulnerability in ActionView There is a possible XSS vulnerability in Action View. Text declared as `HTML safe` will not have quotes escaped when used as attribute values in tag helpers. |
CVE-2016-6316
GHSA-pc3m-v286-2jwj |
| VCID-877d-u9ag-qqdr | Rails Denial of Service vulnerability Unspecified vulnerability in the "dependency resolution mechanism" in Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby code via a URL that is not properly handled in the routing code, which leads to a denial of service (application hang) or "data loss," a different vulnerability than CVE-2006-4111. |
CVE-2006-4112
GHSA-9wrq-xvmp-xjc8 |
| VCID-895a-ydc5-zfg6 | Circumvention of file size limits in ActiveStorage There is a vulnerability in ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user. Versions Affected: rails < 5.2.4.2, rails < 6.0.3.1 Not affected: Applications that do not use the direct upload functionality of the ActiveStorage S3 adapter. Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1 Impact ------ Utilizing this vulnerability, an attacker can control the Content-Length of an S3 direct upload URL without receiving a new signature from the server. This could be used to bypass controls in place on the server to limit upload size. Workarounds ----------- This is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded. |
CVE-2020-8162
GHSA-m42x-37p3-fv5w |
| VCID-8dad-dvat-1fg4 | Path Traversal in Action View # File Content Disclosure in Action View Impact ------ There is a possible file content disclosure vulnerability in Action View. Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents. The impact is limited to calls to `render` which render file contents without a specified accept format. Impacted code in a controller looks something like this: ``` ruby class UserController < ApplicationController def index render file: "#{Rails.root}/some/file" end end ``` Rendering templates as opposed to files is not impacted by this vulnerability. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are available at the normal locations. Workarounds ----------- This vulnerability can be mitigated by specifying a format for file rendering, like this: ``` ruby class UserController < ApplicationController def index render file: "#{Rails.root}/some/file", formats: [:html] end end ``` In summary, impacted calls to `render` look like this: ``` render file: "#{Rails.root}/some/file" ``` The vulnerability can be mitigated by changing to this: ``` render file: "#{Rails.root}/some/file", formats: [:html] ``` Other calls to `render` are not impacted. Alternatively, the following monkey patch can be applied in an initializer: ``` ruby $ cat config/initializers/formats_filter.rb # frozen_string_literal: true ActionDispatch::Request.prepend(Module.new do def formats super().select do |format| format.symbol || format.ref == "*/*" end end end) ``` Credits ------- Thanks to John Hawthorn <john@hawthorn.email> of GitHub |
CVE-2019-5418
GHSA-86g5-2wh3-gc9j |
| VCID-9hq5-3usy-5fhq | Possible Object Leak and Denial of Service attack A carefully crafted `Accept` header can cause a global cache of mime types to grow indefinitely which can lead to a possible denial of service attack in Action Pack. |
CVE-2016-0751
GHSA-ffpv-c4hm-3x6v |
| VCID-9hvm-2hnk-hyev | The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380. |
CVE-2007-6077
GHSA-p4c6-77gc-694x |
| VCID-9t7a-muwx-zyee | Improper Access Control The Rails gem does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing `WHERE` clauses via a crafted request. |
CVE-2016-6317
GHSA-pr3r-4wrp-r2pv |
| VCID-a6sp-18av-wya6 | Possible Strong Parameters Bypass in ActionPack There is a strong parameters bypass vector in ActionPack. Versions Affected: rails <= 6.0.3 Not affected: rails < 5.0.0 Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1 Impact ------ In some cases user supplied information can be inadvertently leaked from Strong Parameters. Specifically the return value of `each`, or `each_value`, or `each_pair` will return the underlying "untrusted" hash of data that was read from the parameters. Applications that use this return value may be inadvertently use untrusted user input. Impacted code will look something like this: ``` def update # Attacker has included the parameter: `{ is_admin: true }` User.update(clean_up_params) end def clean_up_params params.each { |k, v| SomeModel.check(v) if k == :name } end ``` Note the mistaken use of `each` in the `clean_up_params` method in the above example. Workarounds ----------- Do not use the return values of `each`, `each_value`, or `each_pair` in your application. |
CVE-2020-8164
GHSA-8727-m6gj-mc37 |
| VCID-awt1-8bxs-xffs | actionpack Improper Authentication vulnerability The `decode_credentials` method in `actionpack/lib/action_controller/metal/http_authentication.rb` in Ruby on Rails before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a `with_http_digest` helper method, as demonstrated by the `authenticate_or_request_with_http_digest` method. |
CVE-2012-3424
GHSA-92w9-2pqw-rhjj OSV-84243 |
| VCID-bjwf-uhyk-63aj | Timing attack vulnerability in basic authentication Due to the way that Action Controller compares user names and passwords in basic authentication authorization code, it is possible for an attacker to analyze the time taken by a response and intuit the password. You can tell you application is vulnerable to this attack by looking for `http_basic_authenticate_with` method calls in your application. |
CVE-2015-7576
GHSA-p692-7mm3-3fxg |
| VCID-c1w4-z275-tqg7 | Ruby on Rails Potential XSS Vulnerability in select_tag prompt When a value for the `prompt` field is supplied to the `select_tag` helper, the value is not escaped. If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks. |
CVE-2012-3463
GHSA-98mf-8f57-64qf OSV-84515 |
| VCID-c8b5-d83n-nuhw | Allocation of Resources Without Limits or Throttling There is a possible denial of service vulnerability in Action View (Rails) where specially crafted accept headers can cause action view to consume % cpu and make the server unresponsive. |
CVE-2019-5419
GHSA-m63j-wh5w-c252 |
| VCID-ca7u-t1y4-uuc7 | Vulnerability in JSON Parser in Ruby on Rails 3.0 and 2.3 There is a vulnerability in the JSON code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. |
CVE-2013-0333
GHSA-xgr2-v94m-rc9g OSV-89594 |
| VCID-carc-ntrd-ebfe | Multiple vulnerabilities in parameter parsing in Action Pack There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. |
CVE-2013-0156
GHSA-jmgw-6vjg-jjwg OSV-89026 |
| VCID-ce39-j83r-6ug9 | Duplicate This advisory duplicates another. |
CVE-2022-22577
GHSA-mm33-5vfq-3mm3 GMS-2022-1137 |
| VCID-cnqr-6e98-5kgk | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value. |
CVE-2011-0446
GHSA-75w6-p6mg-vh8j |
| VCID-cwa7-9d2t-rfhb | actionpack Cross-site Scripting vulnerability Cross-site scripting (XSS) vulnerability in `actionpack/lib/action_view/helpers/sanitize_helper.rb` in the `strip_tags` helper in Ruby on Rails before 2.3.16, 3.0.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup. |
CVE-2012-3465
GHSA-7g65-ghrg-hpf5 OSV-84513 |
| VCID-d15q-6ukb-wfff | Object leak vulnerability for wildcard controller routes Users that have a route that contains the string `:controller` are susceptible to objects being leaked globally which can lead to unbounded memory growth. To identify if your application is vulnerable, look for routes that contain `:controller`. |
CVE-2015-7581
GHSA-9h6g-gp95-x3q5 |
| VCID-dd9p-x7k3-37ea | Actionpack has possible cross-site scripting vulnerability via User Supplied Values to redirect_to The `redirect_to` method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. This vulnerability has been assigned the CVE identifier CVE-2023-28362. Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4 |
CVE-2023-28362
GHSA-4g8v-vg43-wpgf |
| VCID-drg6-gj1f-h7ea | Duplicate This advisory duplicates another. |
CVE-2022-21831
GHSA-w749-p3v6-hccq GMS-2022-301 |
| VCID-e3j5-xgbr-2qa1 | Possible DoS Vulnerability A carefully crafted email address in conjunction with the Action Mailer logger format string could take advantage of a bug in Ruby's sprintf implementation and possibly lead to a denial of service attack. Impacted Ruby code will look something like this: `"some string #{user_input}" % some_number` |
CVE-2013-4389
GHSA-rg5m-3fqp-6px8 OSV-98629 |
| VCID-eb5z-q7rj-j7hh | Active Record component in Ruby on Rails has a data-type injection vulnerability The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the "typed XML" feature and a MySQL database. |
CVE-2013-3221
GHSA-f57c-hx33-hvh8 |
| VCID-ed3f-3bxh-eba4 | activesupport vulnerable to Denial of Service via large XML document depth The (1) `jdom.rb` and (2) `rexml.rb` components in Active Support in Ruby on Rails before 3.2.22, 4.1.x before 4.1.11, and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth. |
CVE-2015-3227
GHSA-j96r-xvjq-r9pg |
| VCID-ehbj-aezy-d7h4 | Rails has possible ReDoS vulnerability in Accept header parsing in Action Dispatch # Possible ReDoS vulnerability in Accept header parsing in Action Dispatch There is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-26142. Versions Affected: >= 7.1.0, < 7.1.3.1 Not affected: < 7.1.0 Fixed Versions: 7.1.3.1 Impact ------ Carefully crafted Accept headers can cause Accept header parsing in Action Dispatch to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or use one of the workarounds immediately. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- There are no feasible workarounds for this issue. Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 7-1-accept-redox.patch - Patch for 7.1 series Credits ------- Thanks [svalkanov](https://hackerone.com/svalkanov) for the report and patch! |
CVE-2024-26142
GHSA-jjhx-jhvp-74wq |
| VCID-es1t-7196-4kbb | CSRF Vulnerability in rails-ujs There is a vulnerability in rails-ujs that allows attackers to send CSRF tokens to wrong domains. Versions Affected: rails <= 6.0.3 Not affected: Applications which don't use rails-ujs. Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1 Impact ------ This is a regression of CVE-2015-1840. In the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the href or action to a cross-origin URL, and the CSRF token will be sent. Workarounds ----------- To work around this problem, change code that allows users to control the href attribute of an anchor tag or the action attribute of a form tag to filter the user parameters. For example, code like this: link_to params to code like this: link_to filtered_params def filtered_params # Filter just the parameters that you trust end |
CVE-2020-8167
GHSA-xq5j-gw7f-jgj8 |
| VCID-g3rk-djae-pkeh | Possible Content Security Policy bypass in Action Dispatch There is a possible Cross Site Scripting (XSS) vulnerability in the `content_security_policy` helper in Action Pack. Impact ------ Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input. Credits ------- Thanks to [ryotak](https://hackerone.com/ryotak) for the report! |
CVE-2024-54133
GHSA-vfm5-rmrh-j26v |
| VCID-g5q6-7uav-sqh1 | Remote code execution via user-provided local names in ActionView The is a code injection vulnerability in versions of Rails prior to 5.0.1 that would allow an attacker who controlled the `locals` argument of a `render` call to perform a RCE. |
CVE-2020-8163
GHSA-cr3x-7m39-c6jq |
| VCID-gjey-bqtd-kqa1 | Action Pack contains Information Disclosure / Unintended Method Execution vulnerability Impact ------ There is a possible information disclosure / unintended method execution vulnerability in Action Pack when using the `redirect_to` or `polymorphic_url` helper with untrusted user input. Vulnerable code will look like this. ``` redirect_to(params[:some_param]) ``` All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- To work around this problem, it is recommended to use an allow list for valid parameters passed from the user. For example, ```ruby private def check(param) case param when "valid" param else "/" end end def index redirect_to(check(params[:some_param])) end ``` Or force the user input to be cast to a string like this, ```ruby def index redirect_to(params[:some_param].to_s) end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 5-2-information-disclosure.patch - Patch for 5.2 series * 6-0-information-disclosure.patch - Patch for 6.0 series * 6-1-information-disclosure.patch - Patch for 6.1 series Please note that only the 5.2, 6.0, and 6.1 series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks to Benoit Côté-Jodoin from Shopify for reporting this. |
CVE-2021-22885
GHSA-hjg4-8q5f-x6fm |
| VCID-gsx2-9sc2-3fbr | Moderate severity vulnerability that affects rails Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb. |
CVE-2009-4214
GHSA-9p3v-wf2w-v29c |
| VCID-h94p-ywve-y7h9 | XSS Vulnerability in simple_format helper The simple_format helper converts user supplied text into html text which is intended to be safe for display. A change made to the implementation of this helper means that any user provided HTML attributes will not be escaped correctly. As a result of this error, applications which pass user-controlled data to be included as html attributes will be vulnerable to an XSS attack. |
CVE-2013-6416
GHSA-w37c-q653-qg95 OSV-100526 |
| VCID-hbtn-7423-m3gb | Circumvention of attr_protected The attr_protected method allows developers to specify a denylist of model attributes which users should not be allowed to assign to. By using a specially crafted request, attackers could circumvent this protection and alter values that were meant to be protected. |
CVE-2013-0276
GHSA-gr44-7grc-37vq OSV-90072 |
| VCID-hmp2-rmzv-wkhg | Improper Input Validation The template selection functionality in actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob characters, which allows remote attackers to render arbitrary views via a crafted URL, related to a "filter skipping vulnerability." |
CVE-2011-2929
GHSA-r7q2-5gqg-6c7q |
| VCID-hppf-a715-r7b2 | ReDoS based DoS vulnerability in Action Dispatch There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795. A specially crafted HTTP `If-None-Match` header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. |
CVE-2023-22795
GHSA-8xww-x3g3-6jcv GMS-2023-56 |
| VCID-hr2h-y693-sbgc | activesupport Cross-site Scripting vulnerability Cross-site scripting (XSS) vulnerability in `activesupport/lib/active_support/core_ext/string/output_safety.rb` in Ruby on Rails before 2.3.16, 3.0.x before , 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character. |
CVE-2012-3464
GHSA-h835-75hw-pj89 OSV-84516 |
| VCID-j24x-nhsb-yug6 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method. |
CVE-2011-2197
GHSA-v9v4-7jp6-8c73 |
| VCID-j7p8-hchp-xbe3 | Unsafe Query Generation Risk in Ruby on Rails Due to the way Active Record interprets parameters in combination with the way that JSON parameters are parsed, it is possible for an attacker to issue unexpected database queries with "IS NULL" or empty where clauses. This issue does *not* let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL or eliminate a WHERE clause when most users wouldn't expect it. |
CVE-2013-0155
GHSA-gppp-5xc5-wfpx OSV-89025 |
| VCID-j8zg-kq3z-jqcm | Improper Input Validation Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs. |
CVE-2010-3933
GHSA-gjxw-5w2q-7grf |
| VCID-jwun-grgg-2uet | Exposure of information in Action Pack Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests. This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used. |
CVE-2022-23633
CVE-2022-23634 GHSA-rmj8-8hhh-gv5h GHSA-wh98-p28r-vrc9 |
| VCID-kcj2-v7av-47cv | Reflective XSS Vulnerability There is a vulnerability in the internationalisation component of Ruby on Rails. When the i18n gem is unable to provide a translation for a given string, it creates a fallback HTML string. Under certain common configurations this string can contain user input which would allow an attacker to execute a reflective XSS attack. |
CVE-2013-4491
GHSA-699m-mcjm-9cw8 OSV-100528 |
| VCID-kkbt-pr7u-f7gn | Active Record contains SQL Injection SQL injection vulnerability in the Active Record component in Ruby on Rails before 2.3.15, 3.0.x before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls. |
CVE-2012-6496
GHSA-gh2w-j7cx-2664 OSV-88661 |
| VCID-knsd-pv15-tydx | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name. |
CVE-2011-2931
GHSA-v5jg-558j-q67c |
| VCID-kr1b-uct1-7kf6 | Response Splitting Vulnerability in Ruby on Rails A response splitting flaw can allow a remote attacker to inject arbitrary HTTP headers into a response due to insufficient sanitization of the values provided for response content types. |
CVE-2011-3186
GHSA-fcqf-h4h4-695m OSV-74616 |
| VCID-mep3-6sub-ykdk | Denial of Service Vulnerability when using render :text Strings sent in specially crafted headers will be converted to symbols. |
CVE-2014-0082
GHSA-7cgp-c3g7-qvrw OSV-103440 |
| VCID-mnkw-23eu-bkgc | Ability to forge per-form CSRF tokens in Rails It is possible to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token for any action for that session. Impact ------ Given the ability to extract the global CSRF token, an attacker would be able to construct a per-form CSRF token for that session. Workarounds ----------- This is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded. |
CVE-2020-8166
GHSA-jp5v-5gx4-jmj9 |
| VCID-msda-xqbp-qfdd | Possible Open Redirect Vulnerability in Action Pack There is a possible Open Redirect Vulnerability in Action Pack. Versions Affected: >= v6.1.0.rc2 Not affected: < v6.1.0.rc2 Fixed Versions: 6.1.3.2 Impact ------ This is similar to CVE-2021-22881. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Since rails/rails@9bc7ea5, strings in config.hosts that do not have a leading dot are converted to regular expressions without proper escaping. This causes, for example, config.hosts << "sub.example.com" to permit a request with a Host header value of sub-example.com. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- The following monkey patch put in an initializer can be used as a workaround. ```ruby class ActionDispatch::HostAuthorization::Permissions def sanitize_string(host) if host.start_with?(".") /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i else /\A#{Regexp.escape host}\z/i end end end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 6-1-open-redirect.patch - Patch for 6.1 series Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks Jonathan Hefner (https://hackerone.com/jonathanhefner) for reporting this bug! |
CVE-2021-22903
GHSA-5hq2-xf89-9jxq |
| VCID-n5fx-u6fs-vydu | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving \ (backslash) characters that are not properly handled in operations on array columns. |
CVE-2014-0080
GHSA-hqf9-rc9j-5fmj OSV-103438 |
| VCID-n8r7-wthv-fqaj | Active Record RCE bug with Serialized Columns When serialized columns that use YAML (the default) are deserialized, Rails uses YAML.unsafe_load to convert the YAML data in to Ruby objects. If an attacker can manipulate data in the database (via means like SQL injection), then it may be possible for the attacker to escalate to an RCE. There are no feasible workarounds for this issue, but other coders (such as JSON) are not impacted. |
CVE-2022-32224
GHSA-3hhc-qp5v-9p2j GMS-2022-3029 |
| VCID-nf8s-2aaa-17fw | Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk) Due to the way that `Rack::Request` and `Rails::Request` interact, it is possible for a 3rd party or custom rack middleware to parse the parameters insecurely and store them in the same key that Rails uses for its own parameters. In the event that happens the application will receive unsafe parameters and could be vulnerable to the earlier vulnerability: it would be possible for an attacker to issue unexpected database queries with `IS NULL` or empty where clauses. |
CVE-2013-6417
GHSA-wpw7-wxjm-cw8r OSV-100527 |
| VCID-nk6g-hhsk-8kaw | Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0 There is a vulnerability in the serialized attribute handling code in Ruby on Rails, applications which allow users to directly assign to the serialized fields in their models are at risk of Denial of Service or Remote Code Execution vulnerabilities. |
CVE-2013-0277
GHSA-fhj9-cjjh-27vm OSV-90073 |
| VCID-nzeb-cy9e-tkax | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer. |
CVE-2008-4094
GHSA-xf96-32q2-9rw2 |
| VCID-p22r-u1dd-b7b3 | Missing security headers in Action Pack on non-HTML responses # Permissions-Policy is Only Served on HTML Content-Type The application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This has been assigned the CVE identifier CVE-2024-28103. Versions Affected: >= 6.1.0 Not affected: < 6.1.0 Fixed Versions: 6.1.7.8, 7.0.8.4, and 7.1.3.4 Impact ------ Responses with a non-HTML Content-Type are not serving the configured Permissions-Policy. There are certain non-HTML Content-Types that would benefit from having the Permissions-Policy enforced. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- N/A Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the supported release series in accordance with our [maintenance policy](https://guides.rubyonrails.org/maintenance_policy.html#security-issues) regarding security issues. They are in git-am format and consist of a single changeset. * 6-1-include-permissions-policy-header-on-non-html.patch - Patch for 6.1 series * 7-0-include-permissions-policy-header-on-non-html.patch - Patch for 7.0 series * 7-1-include-permissions-policy-header-on-non-html.patch - Patch for 7.1 series Credits ------- Thank you [shinkbr](https://hackerone.com/shinkbr) for reporting this! |
CVE-2024-28103
GHSA-fwhr-88qx-h9g7 |
| VCID-p5mc-r1rg-5ff7 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in actionview. |
CVE-2022-27777
GHSA-ch3h-j2vf-95pv GMS-2022-1138 |
| VCID-pb5f-g4uc-r7fp | Possible Input Validation Circumvention Code that uses Active Model based models (including Active Record models) and does not validate user input before passing it to the model can be subject to an attack where specially crafted input will cause the model to skip validations. Rails users using Strong Parameters are generally not impacted by this issue as they are encouraged to allow parameters and must specifically opt-out of input verification using the `permit!` method to allow mass assignment. |
CVE-2016-0753
GHSA-543v-gj2c-r3ch |
| VCID-pd5s-1xsg-f7a5 | Rails has a possible XSS vulnerability in its Action Pack debug exceptions ### Impact The debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to XSS. This affects applications with detailed exception pages enabled (`config.consider_all_requests_local = true`), which is the default in development. ### Releases The fixed releases are available at the normal locations. |
CVE-2026-33167
GHSA-pgm4-439c-5jp6 |
| VCID-pmrb-t3bm-zkb6 | Denial of Service Vulnerability in Action View There is a denial of service vulnerability in the header handling component of Action View. Strings sent in specially crafted headers will be cached indefinitely. This can cause the cache to grow infinitely, which will eventually consume all memory on the target machine, causing a denial of service. |
CVE-2013-6414
GHSA-mpxf-gcw2-pw5q OSV-100525 |
| VCID-r1u7-1avr-fqbs | Moderate severity vulnerability that affects rails Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file. |
CVE-2007-5379
GHSA-fjfg-q662-gm6j OSV-40717 |
| VCID-rps2-k24p-9qgq | Translate helper method which may allow an attacker to insert arbitrary code into a page The helper method for i18n translations has a convention whereby translations strings with a name ending in 'html' are considered HTML safe. There is also a mechanism for interpolation. It has been discovered that these 'html' strings allow arbitrary values to be contained in the interpolated input, and these values are not escaped. |
CVE-2011-4319
GHSA-xxr8-833v-c7wc OSV-77199 |
| VCID-rq7w-zmh4-17e1 | SQL injection vulnerability in Active Record Due to the way Active Record handles nested query parameters, an attacker can use a specially crafted request to inject some forms of SQL into your application's SQL queries. |
CVE-2012-2661
GHSA-fh39-v733-mxfr OSV-82403 |
| VCID-rqfj-8y7h-eqgm | ActionText ContentAttachment can Contain Unsanitized HTML Instances of ActionText::Attachable::ContentAttachment included within a rich_text_area tag could potentially contain unsanitized HTML. This has been assigned the CVE identifier CVE-2024-32464. Versions Affected: >= 7.1.0 Not affected: < 7.1.0 Fixed Versions: 7.1.3.4 Impact ------ This could lead to a potential cross site scripting issue within the Trix editor. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- N/A Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the supported release series in accordance with our [maintenance policy](https://guides.rubyonrails.org/maintenance_policy.html#security-issues) regarding security issues. They are in git-am format and consist of a single changeset. * action_text_content_attachment_xss_7_1_stable.patch - Patch for 7.1 series Credits ------- Thank you [ooooooo_q](https://hackerone.com/ooooooo_q) for reporting this! |
CVE-2024-32464
GHSA-prjp-h48f-jgf6 |
| VCID-s5ah-tf63-a7cw | Improper Input Validation The Rails gem allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method. |
CVE-2016-2098
GHSA-78rc-8c29-p45g |
| VCID-sb9g-rdnm-rqbm | SQL Injection in Active Record SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstring quoting. |
CVE-2014-3482
GHSA-mhwp-qhpc-h3jm OSV-108664 |
| VCID-sfyc-jewr-wuf5 | Possible ReDoS vulnerability in HTTP Token authentication in Action Controller There is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. This vulnerability has been assigned the CVE identifier CVE-2024-47887. Impact ------ For applications using HTTP Token authentication via `authenticate_or_request_with_http_token` or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Users on Ruby 3.2 are unaffected by this issue. Credits ------- Thanks to [scyoon](https://hackerone.com/scyoon) for reporting |
CVE-2024-47887
GHSA-vfg9-r3fq-jvx4 |
| VCID-sgdb-985e-4uej | Possible ReDoS vulnerability in query parameter filtering in Action Dispatch There is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-41128. Impact ------ Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Users on Ruby 3.2 are unaffected by this issue. Credits ------- Thanks to [scyoon](https://hackerone.com/scyoon) for the report and patches! |
CVE-2024-41128
GHSA-x76w-6vjr-8xgj |
| VCID-sygb-mygd-s3gb | Duplicate This advisory duplicates another. |
CVE-2022-44566
GHSA-579w-22j4-4749 GMS-2023-59 |
| VCID-sz4r-kjse-cbdd | Remote attacker can conduct SQL injection attacks Ruby on Rails contains a flaw in the Authlogic gem. The issue is triggered when the program makes an unsafe method call for find_by_id. With a specially crafted parameter in an environment that knows the secret_token value in secret_token.rb, a remote attacker to more easily conduct SQL injection attacks. |
CVE-2012-6497
GHSA-rx7j-mw4c-76g9 OSV-89064 |
| VCID-t2cx-7ycd-tqhq | activesupport Cross-site Scripting vulnerability Cross-site scripting (XSS) vulnerability in `json/encoding.rb` in Active Support in Ruby on Rails 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding. |
CVE-2015-3226
GHSA-vxvp-4xwc-jpp6 |
| VCID-t684-yp58-hkg8 | ActiveSupport potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore In ActiveSupport, there is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when untrusted user input is written to the cache store using the `raw: true` parameter, re-reading the result from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like: ``` data = cache.fetch("demo", raw: true) { untrusted_string } ``` Versions Affected: rails < 5.2.5, rails < 6.0.4 Not affected: Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the `raw` option when storing untrusted user input. Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1 Impact ------ Unmarshalling of untrusted user input can have impact up to and including RCE. At a minimum, this vulnerability allows an attacker to inject untrusted Ruby objects into a web application. In addition to upgrading to the latest versions of Rails, developers should ensure that whenever they are calling `Rails.cache.fetch` they are using consistent values of the `raw` parameter for both reading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes, detect if data was serialized using the raw option upon deserialization. Workarounds ----------- It is recommended that application developers apply the suggested patch or upgrade to the latest release as soon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using the `raw` argument should be double-checked to ensure that they conform to the expected format. |
CVE-2020-8165
GHSA-2p68-f74v-9wc6 |
| VCID-t9yh-ss8z-e3cb | Duplicate This advisory duplicates another. |
CVE-2023-22794
GHSA-hq7p-j377-6v63 GMS-2023-60 |
| VCID-thx6-usb2-kkgc | Nested attributes rejection proc bypass When using the nested attributes feature in Active Record you can prevent the destruction of associated records by passing the `allow_destroy: false` option to the `accepts_nested_attributes_for` method. The `allow_destroy` flag prevents the `:reject_if` proc from being called because it assumes that the record will be destroyed anyway. However, this is not true if `:allow_destroy` is false so this leads to changes that would have been rejected being applied to the record. Attackers could set attributes to invalid values or clear all the attributes. |
CVE-2015-7577
GHSA-xrr6-3pc4-m447 |
| VCID-up42-s1t8-eqa1 | Information disclosure issue in Active Resource There is a possible information disclosure issue in Active Resource <v5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information. |
CVE-2020-8151
GHSA-46j2-xjgp-jrfm |
| VCID-uudj-r63z-kban | XML Parsing Vulnerability affecting JRuby users There is a vulnerability in the JDOM backend to ActiveSupport's XML parser. you should upgrade or use one of the work arounds immediately. |
CVE-2013-1856
GHSA-9c2j-593q-3g82 OSV-91451 |
| VCID-v3r3-bwp5-a3bn | Path Traversal The Rails gem allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a `..` in a pathname. |
CVE-2016-0752
GHSA-xrr4-p6fq-hjg7 |
| VCID-v9mt-t1pb-hybk | Cross site scripting vulnerability in ActionView There is a possible cross site scripting (XSS) vulnerability in ActionView's JavaScript literal escape helpers. Views that use the `j` or `escape_javascript` methods may be susceptible to XSS attacks. ### Impact There is a possible XSS vulnerability in the `j` and `escape_javascript` methods in ActionView. These methods are used for escaping JavaScript string literals. Impacted code will look something like this: ```erb <script>let a = `<%= j unknown_input %>`</script> ``` or ```erb <script>let a = `<%= escape_javascript unknown_input %>`</script> ``` ### Releases The 6.0.2.2 and 5.2.4.2 releases are available at the normal locations. ### Workarounds For those that can't upgrade, the following monkey patch may be used: ```ruby ActionView::Helpers::JavaScriptHelper::JS_ESCAPE_MAP.merge!( { "`" => "\\`", "$" => "\\$" } ) module ActionView::Helpers::JavaScriptHelper alias :old_ej :escape_javascript alias :old_j :j def escape_javascript(javascript) javascript = javascript.to_s if javascript.empty? result = "" else result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP) end javascript.html_safe? ? result.html_safe : result end alias :j :escape_javascript end ``` ### Patches To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * [5-2-js-helper-xss.patch](https://gist.github.com/tenderlove/c042ff49f0347c37e99183a6502accc6#file-5-2-js-helper-xss-patch) - Patch for 5.2 series * [6-0-js-helper-xss.patch](https://gist.github.com/tenderlove/c042ff49f0347c37e99183a6502accc6#file-6-0-js-helper-xss-patch) - Patch for 6.0 series Please note that only the 5.2 and 6.0 series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. ### Credits Thanks to Jesse Campos from Chef Secure |
CVE-2020-5267
GHSA-65cv-r6x7-79hv |
| VCID-va9q-fjn6-yqee | Direct Manipulation XSS Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate direct manipulations of `SafeBuffer` objects via `'[]'` and other methods. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. |
CVE-2012-1098
GHSA-qv8p-v9qw-wc7g OSV-79726 |
| VCID-vgm2-8wjy-x7ed | Improper Input Validation Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain. |
CVE-2008-7248
GHSA-8fqx-7pv4-3jwm |
| VCID-wg3a-j2dp-ayh4 | Possible DoS Vulnerability in Action Controller Token Authentication There is a possible DoS vulnerability in the Token Authentication logic in Action Controller. Versions Affected: >= 4.0.0 Not affected: < 4.0.0 Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 Impact ------ Impacted code uses `authenticate_or_request_with_http_token` or `authenticate_with_http_token` for request authentication. Impacted code will look something like this: ``` class PostsController < ApplicationController before_action :authenticate private def authenticate authenticate_or_request_with_http_token do |token, options| # ... end end end ``` All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- The following monkey patch placed in an initializer can be used to work around the issue: ```ruby module ActionController::HttpAuthentication::Token AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/ end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 5-2-http-authentication-dos.patch - Patch for 5.2 series * 6-0-http-authentication-dos.patch - Patch for 6.0 series * 6-1-http-authentication-dos.patch - Patch for 6.1 series Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thank you to https://hackerone.com/wonda_tea_coffee for reporting this issue! |
CVE-2021-22904
GHSA-7wjx-3g7j-8584 |
| VCID-wgr4-rzk2-4yet | Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to "URL-based sessions." |
CVE-2007-5380
GHSA-jwhv-rgqc-fqj5 |
| VCID-wyqh-g8df-hkay | rails is vulnerable to CRLF injection CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function. |
CVE-2008-5189
GHSA-jmgf-p46x-982h |
| VCID-wyy6-h8bq-vyde | Denial of Service in Action Dispatch Impact ------ There is a possible Denial of Service vulnerability in Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- The following monkey patch placed in an initializer can be used to work around the issue. ```ruby module Mime class Type MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>\s*#{MIME_PARAMETER}\s*)*)\z/ end end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 6-0-Prevent-catastrophic-backtracking-during-mime-parsin.patch - Patch for 6.0 series * 6-1-Prevent-catastrophic-backtracking-during-mime-parsin.patch - Patch for 6.1 series Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks to Security Curious <security...@pm.me> for reporting this! |
CVE-2021-22902
GHSA-g8ww-46x2-2p65 |
| VCID-xa94-z6yu-skf8 | Symbol DoS vulnerability in Active Record When a hash is provided as the find value for a query, the keys of the hash may be converted to symbols. Carefully crafted requests can coerce `params[:name]` to return a hash, and the keys to that hash may be converted to symbols. All users running an affected release should either upgrade or use one of the work arounds immediately. |
CVE-2013-1854
GHSA-3crr-9vmg-864v OSV-91453 |
| VCID-xqzj-cww4-nbcy | Moderate severity vulnerability that affects rails Cross-site scripting (XSS) vulnerability in the to_json (ActiveRecord::Base#to_json) function in Ruby on Rails before edge 9606 allows remote attackers to inject arbitrary web script via the input values. |
CVE-2007-3227
GHSA-gm25-fpmr-43fj OSV-36378 |
| VCID-xxbb-7e3n-9yb3 | Cross site scripting in actionpack Rubygem A cross-site scripting vulnerability flaw was found in the `auto_link` function in Rails before version 3.0.6. |
CVE-2011-1497
GHSA-q58j-fmvf-9rq6 |
| VCID-y54w-a8kr-suhy | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument. |
CVE-2011-0448
GHSA-jmm9-2p29-vh2w |
| VCID-yy6t-ybeu-qycc | Possible ReDoS vulnerability in block_format in Action Mailer There is a possible ReDoS vulnerability in the block_format helper in Action Mailer. This vulnerability has been assigned the CVE identifier CVE-2024-47889. Impact ------ Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Users can avoid calling the `block_format` helper or upgrade to Ruby 3.2 Credits ------- Thanks to yuki_osaki for the report! |
CVE-2024-47889
GHSA-h47h-mwp9-c6q6 |
| VCID-yzpx-3gam-y3bu | Active Storage allowed transformation methods that were potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allowing for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters. This has been assigned the CVE identifier CVE-2025-24293. Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.1.5.2, 7.2.2.2, 8.0.2.1 Impact ------ This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor. Vulnerable code will look something similar to this: ``` <%= image_tag blob.variant(params[:t] => params[:v]) %> ``` Where the transformation method or its arguments are untrusted arbitrary input. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous. Strict validation of user supplied methods and parameters should be performed as well as having a strong [ImageMagick security policy](https://imagemagick.org/script/security-policy.php) deployed. Credits ------- Thank you [lio346](https://hackerone.com/lio346) from Unit 515 of OPSWAT for reporting this! |
CVE-2025-24293
GHSA-r4mg-4433-c7g3 |
| VCID-z1jv-4ga2-7kd1 | Possible Information Leak Vulnerability Applications that pass unverified user input to the `render` method in a controller may be vulnerable to an information leak vulnerability. Impacted code will look something like this: ``` def index; render params[:id]; end ``` Carefully crafted requests can cause the above code to render files from unexpected places like outside the application's view directory, and can possibly escalate this to a remote code execution attack. |
CVE-2016-2097
GHSA-vx9j-46rh-fqr8 |
| VCID-zkvd-bfd6-t7dg | Arbitrary file existence disclosure Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application's root directory. The files will not be served, but attackers can determine whether the file exists. This only impacts Rails applications that enable static file serving at runtime. For example, the application's production configuration will say: `config.serve_static_assets = true` |
CVE-2014-7818
GHSA-29gr-w57f-rpfw |
| VCID-zqzx-avvt-wkhm | Active Record logging vulnerable to ANSI escape injection This vulnerability has been assigned the CVE identifier CVE-2025-55193 ### Impact The ID passed to `find` or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. ### Releases The fixed releases are available at the normal locations. ### Credits Thanks to [lio346](https://hackerone.com/lio346) from Unit 515 of OPSWAT for reporting this vulnerability |
CVE-2025-55193
GHSA-76r7-hhxj-r776 |
| VCID-zy7d-3db6-sydw | Cross-site scripting in actionpack In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application. This vulnerability is in the Actionable Exceptions middleware. Workarounds ----------- Until such time as the patch can be applied, application developers should disable the Actionable Exceptions middleware in their development environment via a line such as this one in their config/environment/development.rb: `config.middleware.delete ActionDispatch::ActionableExceptions` |
CVE-2020-8264
GHSA-35mm-cc6r-8fjp |
| VCID-zydu-j9dg-fqdb | Improper Input Validation A remote code execution vulnerability in development mode Rails can allow an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit. |
CVE-2019-5420
GHSA-m42h-mh85-4qgc |