Search for packages
| purl | pkg:gem/actionpack@1.4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1rgy-k7a9-m7au
Aliases: CVE-2012-1099 GHSA-2xjj-5x6h-8vmf OSV-79727 |
XSS via posted select tag options Ruby on Rails is vulnerable to remote cross-site scripting because the application does not validate manually generated `select tag options` upon submission to `actionpack/lib/action_view/helpers/form_options_helper.rb`. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. |
Affected by 51 other vulnerabilities. Affected by 52 other vulnerabilities. Affected by 51 other vulnerabilities. Affected by 54 other vulnerabilities. Affected by 54 other vulnerabilities. |
|
VCID-1xgz-hwng-n3eq
Aliases: CVE-2020-8185 GHSA-c6qr-h5vq-59jc |
Untrusted users can run pending migrations in production in Rails There is a vulnerability in versions of Rails prior to 6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production. This vulnerability has been assigned the CVE identifier CVE-2020-8185. Versions Affected: 6.0.0 < rails < 6.0.3.2 Not affected: Applications with `config.action_dispatch.show_exceptions = false` (this is not a default setting in production) Fixed Versions: rails >= 6.0.3.2 Impact ------ Using this issue, an attacker would be able to execute any migrations that are pending for a Rails app running in production mode. It is important to note that an attacker is limited to running migrations the application developer has already defined in their application and ones that have not already run. Workarounds ----------- Until such time as the patch can be applied, application developers should disable the ActionDispatch middleware in their production environment via a line such as this one in their config/environment/production.rb: `config.middleware.delete ActionDispatch::ActionableExceptions` |
Affected by 18 other vulnerabilities. |
|
VCID-333w-aacz-mfcr
Aliases: CVE-2014-7829 GHSA-h56m-vwxc-3qpw |
Arbitrary file existence disclosure Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application's root directory. The files will not be served, but attackers can determine whether the file exists. This only impacts Rails applications that enable static file serving at runtime. For example, the application's production configuration will say: `config.serve_static_assets = true` |
Affected by 35 other vulnerabilities. Affected by 37 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 38 other vulnerabilities. Affected by 37 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 32 other vulnerabilities. Affected by 31 other vulnerabilities. |
|
VCID-3wtf-uu89-2qe5
Aliases: CVE-2014-0081 GHSA-m46p-ggm5-5j83 OSV-103439 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper. |
Affected by 41 other vulnerabilities. Affected by 41 other vulnerabilities. Affected by 38 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-3x4p-t3yb-3yak
Aliases: GHSA-5xmj-wm96-fmw8 |
Moderate severity vulnerability that affects actionpack Withdrawn, accidental duplicate publish. Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a \ (backslash) character, a similar issue to CVE-2014-7818. |
Affected by 35 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-3zdr-vasc-a7cn
Aliases: CVE-2009-3009 GHSA-8qrh-h9m2-5fvf OSV-57666 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper. |
Affected by 51 other vulnerabilities. Affected by 51 other vulnerabilities. |
|
VCID-49pq-vg95-jkh2
Aliases: CVE-2011-0447 GHSA-24fg-p96v-hxh8 |
Cross-Site Request Forgery (CSRF) Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage "combinations of browser plugins and HTTP redirects," a related issue to CVE-2011-0696. |
Affected by 51 other vulnerabilities. Affected by 53 other vulnerabilities. |
|
VCID-4epw-vk25-mfdw
Aliases: CVE-2013-1855 GHSA-q759-hwvc-m3jg OSV-91452 |
XSS vulnerability in sanitize_css in Action Pack Carefully crafted text can bypass the sanitization provided in the `sanitize_css` method in Action Pack. |
Affected by 45 other vulnerabilities. Affected by 47 other vulnerabilities. Affected by 50 other vulnerabilities. |
|
VCID-4he5-y1u4-gkd2
Aliases: CVE-2013-1857 GHSA-j838-vfpq-fmf2 OSV-91454 |
XSS Vulnerability in the `sanitize` helper The `sanitize` helper in Ruby on Rails is designed to filter HTML and remove all tags and attributes which could be malicious. |
Affected by 45 other vulnerabilities. Affected by 47 other vulnerabilities. Affected by 50 other vulnerabilities. |
|
VCID-5hqj-fxmk-cbcy
Aliases: CVE-2013-6415 GHSA-6h5q-96hp-9jgm OSV-100524 |
XSS Vulnerability in number_to_currency The number_to_currency helper allows users to nicely format a numeric value. The unit parameter is not escaped correctly. Application which pass user controlled data as the unit parameter are vulnerable to an XSS attack. |
Affected by 43 other vulnerabilities. Affected by 42 other vulnerabilities. |
|
VCID-63gy-6njy-kbd8
Aliases: CVE-2023-22792 GHSA-p84v-45xj-wwqj GMS-2023-58 |
ReDoS based DoS vulnerability in Action Dispatch There is a possible regular expression based DoS vulnerability in Action Dispatch. Specially crafted cookies, in combination with a specially crafted `X_FORWARDED_HOST` header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. |
Affected by 7 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-6j55-bstz-yybj
Aliases: CVE-2011-0449 GHSA-4ww3-3rxj-8v6q |
High severity vulnerability that affects actionpack actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.4, when a case-insensitive filesystem is used, does not properly implement filters associated with the list of available templates, which allows remote attackers to bypass intended access restrictions via an action name that uses an unintended case for alphabetic characters. |
Affected by 53 other vulnerabilities. |
|
VCID-7f5r-9h1g-nuch
Aliases: CVE-2009-3086 GHSA-fg9w-g6m4-557j |
Exposure of Sensitive Information to an Unauthorized Actor A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts. |
Affected by 51 other vulnerabilities. Affected by 51 other vulnerabilities. |
|
VCID-9hq5-3usy-5fhq
Aliases: CVE-2016-0751 GHSA-ffpv-c4hm-3x6v |
Possible Object Leak and Denial of Service attack A carefully crafted `Accept` header can cause a global cache of mime types to grow indefinitely which can lead to a possible denial of service attack in Action Pack. |
Affected by 30 other vulnerabilities. Affected by 29 other vulnerabilities. Affected by 28 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-a6sp-18av-wya6
Aliases: CVE-2020-8164 GHSA-8727-m6gj-mc37 |
Possible Strong Parameters Bypass in ActionPack There is a strong parameters bypass vector in ActionPack. Versions Affected: rails <= 6.0.3 Not affected: rails < 5.0.0 Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1 Impact ------ In some cases user supplied information can be inadvertently leaked from Strong Parameters. Specifically the return value of `each`, or `each_value`, or `each_pair` will return the underlying "untrusted" hash of data that was read from the parameters. Applications that use this return value may be inadvertently use untrusted user input. Impacted code will look something like this: ``` def update # Attacker has included the parameter: `{ is_admin: true }` User.update(clean_up_params) end def clean_up_params params.each { |k, v| SomeModel.check(v) if k == :name } end ``` Note the mistaken use of `each` in the `clean_up_params` method in the above example. Workarounds ----------- Do not use the return values of `each`, `each_value`, or `each_pair` in your application. |
Affected by 14 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-awt1-8bxs-xffs
Aliases: CVE-2012-3424 GHSA-92w9-2pqw-rhjj OSV-84243 |
actionpack Improper Authentication vulnerability The `decode_credentials` method in `actionpack/lib/action_controller/metal/http_authentication.rb` in Ruby on Rails before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a `with_http_digest` helper method, as demonstrated by the `authenticate_or_request_with_http_digest` method. |
Affected by 51 other vulnerabilities. Affected by 50 other vulnerabilities. Affected by 52 other vulnerabilities. Affected by 50 other vulnerabilities. Affected by 54 other vulnerabilities. Affected by 53 other vulnerabilities. |
|
VCID-bjwf-uhyk-63aj
Aliases: CVE-2015-7576 GHSA-p692-7mm3-3fxg |
Timing attack vulnerability in basic authentication Due to the way that Action Controller compares user names and passwords in basic authentication authorization code, it is possible for an attacker to analyze the time taken by a response and intuit the password. You can tell you application is vulnerable to this attack by looking for `http_basic_authenticate_with` method calls in your application. |
Affected by 30 other vulnerabilities. Affected by 29 other vulnerabilities. Affected by 28 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-c1w4-z275-tqg7
Aliases: CVE-2012-3463 GHSA-98mf-8f57-64qf OSV-84515 |
Ruby on Rails Potential XSS Vulnerability in select_tag prompt When a value for the `prompt` field is supplied to the `select_tag` helper, the value is not escaped. If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks. |
Affected by 51 other vulnerabilities. Affected by 48 other vulnerabilities. Affected by 52 other vulnerabilities. Affected by 48 other vulnerabilities. Affected by 54 other vulnerabilities. Affected by 51 other vulnerabilities. |
|
VCID-carc-ntrd-ebfe
Aliases: CVE-2013-0156 GHSA-jmgw-6vjg-jjwg OSV-89026 |
Multiple vulnerabilities in parameter parsing in Action Pack There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. |
Affected by 46 other vulnerabilities. Affected by 47 other vulnerabilities. Affected by 52 other vulnerabilities. Affected by 47 other vulnerabilities. Affected by 54 other vulnerabilities. Affected by 50 other vulnerabilities. |
|
VCID-cdnw-t8n1-23ep
Aliases: CVE-2011-3187 GHSA-3vfw-7rcp-3xgm |
Improper Input Validation The to_s method in actionpack/lib/action_dispatch/middleware/remote_ip.rb in Ruby on Rails 3.0.5 does not validate the X-Forwarded-For header in requests from IP addresses on a Class C network, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header. |
Affected by 0 other vulnerabilities. Affected by 50 other vulnerabilities. |
|
VCID-cnqr-6e98-5kgk
Aliases: CVE-2011-0446 GHSA-75w6-p6mg-vh8j |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value. |
Affected by 51 other vulnerabilities. Affected by 53 other vulnerabilities. |
|
VCID-cwa7-9d2t-rfhb
Aliases: CVE-2012-3465 GHSA-7g65-ghrg-hpf5 OSV-84513 |
actionpack Cross-site Scripting vulnerability Cross-site scripting (XSS) vulnerability in `actionpack/lib/action_view/helpers/sanitize_helper.rb` in the `strip_tags` helper in Ruby on Rails before 2.3.16, 3.0.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup. |
Affected by 45 other vulnerabilities. Affected by 48 other vulnerabilities. Affected by 52 other vulnerabilities. Affected by 48 other vulnerabilities. Affected by 54 other vulnerabilities. Affected by 51 other vulnerabilities. |
|
VCID-dd9p-x7k3-37ea
Aliases: CVE-2023-28362 GHSA-4g8v-vg43-wpgf |
Actionpack has possible cross-site scripting vulnerability via User Supplied Values to redirect_to The `redirect_to` method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. This vulnerability has been assigned the CVE identifier CVE-2023-28362. Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4 |
Affected by 5 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-ehbj-aezy-d7h4
Aliases: CVE-2024-26142 GHSA-jjhx-jhvp-74wq |
Rails has possible ReDoS vulnerability in Accept header parsing in Action Dispatch # Possible ReDoS vulnerability in Accept header parsing in Action Dispatch There is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-26142. Versions Affected: >= 7.1.0, < 7.1.3.1 Not affected: < 7.1.0 Fixed Versions: 7.1.3.1 Impact ------ Carefully crafted Accept headers can cause Accept header parsing in Action Dispatch to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or use one of the workarounds immediately. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- There are no feasible workarounds for this issue. Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 7-1-accept-redox.patch - Patch for 7.1 series Credits ------- Thanks [svalkanov](https://hackerone.com/svalkanov) for the report and patch! |
Affected by 4 other vulnerabilities. |
|
VCID-g3rk-djae-pkeh
Aliases: CVE-2024-54133 GHSA-vfm5-rmrh-j26v |
Possible Content Security Policy bypass in Action Dispatch There is a possible Cross Site Scripting (XSS) vulnerability in the `content_security_policy` helper in Action Pack. Impact ------ Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input. Credits ------- Thanks to [ryotak](https://hackerone.com/ryotak) for the report! |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-h8gs-ansa-9bd9
Aliases: GHSA-m53f-rhq8-q6hf |
Moderate severity vulnerability that affects actionpack Withdrawn, accidental duplicate publish. actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header. |
Affected by 30 other vulnerabilities. Affected by 29 other vulnerabilities. Affected by 28 other vulnerabilities. |
|
VCID-h94p-ywve-y7h9
Aliases: CVE-2013-6416 GHSA-w37c-q653-qg95 OSV-100526 |
XSS Vulnerability in simple_format helper The simple_format helper converts user supplied text into html text which is intended to be safe for display. A change made to the implementation of this helper means that any user provided HTML attributes will not be escaped correctly. As a result of this error, applications which pass user-controlled data to be included as html attributes will be vulnerable to an XSS attack. |
Affected by 51 other vulnerabilities. Affected by 52 other vulnerabilities. Affected by 55 other vulnerabilities. Affected by 42 other vulnerabilities. |
|
VCID-hmp2-rmzv-wkhg
Aliases: CVE-2011-2929 GHSA-r7q2-5gqg-6c7q |
Improper Input Validation The template selection functionality in actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob characters, which allows remote attackers to render arbitrary views via a crafted URL, related to a "filter skipping vulnerability." |
Affected by 52 other vulnerabilities. Affected by 52 other vulnerabilities. |
|
VCID-hppf-a715-r7b2
Aliases: CVE-2023-22795 GHSA-8xww-x3g3-6jcv GMS-2023-56 |
ReDoS based DoS vulnerability in Action Dispatch There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795. A specially crafted HTTP `If-None-Match` header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. |
Affected by 7 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-j24x-nhsb-yug6
Aliases: CVE-2011-2197 GHSA-v9v4-7jp6-8c73 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method. |
Affected by 51 other vulnerabilities. Affected by 51 other vulnerabilities. Affected by 52 other vulnerabilities. Affected by 52 other vulnerabilities. |
|
VCID-kcj2-v7av-47cv
Aliases: CVE-2013-4491 GHSA-699m-mcjm-9cw8 OSV-100528 |
Reflective XSS Vulnerability There is a vulnerability in the internationalisation component of Ruby on Rails. When the i18n gem is unable to provide a translation for a given string, it creates a fallback HTML string. Under certain common configurations this string can contain user input which would allow an attacker to execute a reflective XSS attack. |
Affected by 43 other vulnerabilities. Affected by 42 other vulnerabilities. |
|
VCID-knsd-pv15-tydx
Aliases: CVE-2011-2931 GHSA-v5jg-558j-q67c |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name. |
Affected by 0 other vulnerabilities. Affected by 50 other vulnerabilities. Affected by 52 other vulnerabilities. |
|
VCID-kr1b-uct1-7kf6
Aliases: CVE-2011-3186 GHSA-fcqf-h4h4-695m OSV-74616 |
Response Splitting Vulnerability in Ruby on Rails A response splitting flaw can allow a remote attacker to inject arbitrary HTTP headers into a response due to insufficient sanitization of the values provided for response content types. |
Affected by 0 other vulnerabilities. Affected by 50 other vulnerabilities. Affected by 51 other vulnerabilities. |
|
VCID-mep3-6sub-ykdk
Aliases: CVE-2014-0082 GHSA-7cgp-c3g7-qvrw OSV-103440 |
Denial of Service Vulnerability when using render :text Strings sent in specially crafted headers will be converted to symbols. |
Affected by 41 other vulnerabilities. Affected by 41 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
VCID-mnkw-23eu-bkgc
Aliases: CVE-2020-8166 GHSA-jp5v-5gx4-jmj9 |
Ability to forge per-form CSRF tokens in Rails It is possible to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token for any action for that session. Impact ------ Given the ability to extract the global CSRF token, an attacker would be able to construct a per-form CSRF token for that session. Workarounds ----------- This is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded. |
Affected by 14 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-msda-xqbp-qfdd
Aliases: CVE-2021-22903 GHSA-5hq2-xf89-9jxq |
Possible Open Redirect Vulnerability in Action Pack There is a possible Open Redirect Vulnerability in Action Pack. Versions Affected: >= v6.1.0.rc2 Not affected: < v6.1.0.rc2 Fixed Versions: 6.1.3.2 Impact ------ This is similar to CVE-2021-22881. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Since rails/rails@9bc7ea5, strings in config.hosts that do not have a leading dot are converted to regular expressions without proper escaping. This causes, for example, config.hosts << "sub.example.com" to permit a request with a Host header value of sub-example.com. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- The following monkey patch put in an initializer can be used as a workaround. ```ruby class ActionDispatch::HostAuthorization::Permissions def sanitize_string(host) if host.start_with?(".") /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i else /\A#{Regexp.escape host}\z/i end end end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 6-1-open-redirect.patch - Patch for 6.1 series Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks Jonathan Hefner (https://hackerone.com/jonathanhefner) for reporting this bug! |
Affected by 13 other vulnerabilities. |
|
VCID-n8cc-3stk-97b5
Aliases: GHSA-23v3-qfrj-wmgh |
Moderate severity vulnerability that affects actionpack Withdrawn, accidental duplicate publish. Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence. |
Affected by 37 other vulnerabilities. Affected by 37 other vulnerabilities. Affected by 37 other vulnerabilities. |
|
VCID-nf8s-2aaa-17fw
Aliases: CVE-2013-6417 GHSA-wpw7-wxjm-cw8r OSV-100527 |
Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk) Due to the way that `Rack::Request` and `Rails::Request` interact, it is possible for a 3rd party or custom rack middleware to parse the parameters insecurely and store them in the same key that Rails uses for its own parameters. In the event that happens the application will receive unsafe parameters and could be vulnerable to the earlier vulnerability: it would be possible for an attacker to issue unexpected database queries with `IS NULL` or empty where clauses. |
Affected by 43 other vulnerabilities. Affected by 42 other vulnerabilities. |
|
VCID-p5mc-r1rg-5ff7
Aliases: CVE-2022-27777 GHSA-ch3h-j2vf-95pv GMS-2022-1138 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in actionview. |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-phxs-zet8-ryh3
Aliases: CVE-2012-2660 GHSA-hgpp-pp89-4fgf OSV-82610 |
SQL Injection Ruby on Rails contains a flaw related to the way ActiveRecord handles parameters in conjunction with the way Rack parses query parameters. This issue may allow an attacker to inject arbitrary `IS NULL` clauses in to application SQL queries. This may also allow an attacker to have the SQL query check for `NULL` in arbitrary places. |
Affected by 45 other vulnerabilities. Affected by 51 other vulnerabilities. Affected by 51 other vulnerabilities. Affected by 54 other vulnerabilities. |
|
VCID-pmrb-t3bm-zkb6
Aliases: CVE-2013-6414 GHSA-mpxf-gcw2-pw5q OSV-100525 |
Denial of Service Vulnerability in Action View There is a denial of service vulnerability in the header handling component of Action View. Strings sent in specially crafted headers will be cached indefinitely. This can cause the cache to grow infinitely, which will eventually consume all memory on the target machine, causing a denial of service. |
Affected by 51 other vulnerabilities. Affected by 43 other vulnerabilities. Affected by 42 other vulnerabilities. |
|
VCID-rps2-k24p-9qgq
Aliases: CVE-2011-4319 GHSA-xxr8-833v-c7wc OSV-77199 |
Translate helper method which may allow an attacker to insert arbitrary code into a page The helper method for i18n translations has a convention whereby translations strings with a name ending in 'html' are considered HTML safe. There is also a mechanism for interpolation. It has been discovered that these 'html' strings allow arbitrary values to be contained in the interpolated input, and these values are not escaped. |
Affected by 52 other vulnerabilities. Affected by 52 other vulnerabilities. |
|
VCID-sfyc-jewr-wuf5
Aliases: CVE-2024-47887 GHSA-vfg9-r3fq-jvx4 |
Possible ReDoS vulnerability in HTTP Token authentication in Action Controller There is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. This vulnerability has been assigned the CVE identifier CVE-2024-47887. Impact ------ For applications using HTTP Token authentication via `authenticate_or_request_with_http_token` or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Users on Ruby 3.2 are unaffected by this issue. Credits ------- Thanks to [scyoon](https://hackerone.com/scyoon) for reporting |
Affected by 1 other vulnerability. Affected by 6 other vulnerabilities. Affected by 1 other vulnerability. Affected by 4 other vulnerabilities. Affected by 1 other vulnerability. Affected by 4 other vulnerabilities. Affected by 1 other vulnerability. Affected by 3 other vulnerabilities. |
|
VCID-sgdb-985e-4uej
Aliases: CVE-2024-41128 GHSA-x76w-6vjr-8xgj |
Possible ReDoS vulnerability in query parameter filtering in Action Dispatch There is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-41128. Impact ------ Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Users on Ruby 3.2 are unaffected by this issue. Credits ------- Thanks to [scyoon](https://hackerone.com/scyoon) for the report and patches! |
Affected by 1 other vulnerability. Affected by 6 other vulnerabilities. Affected by 1 other vulnerability. Affected by 4 other vulnerabilities. Affected by 1 other vulnerability. Affected by 4 other vulnerabilities. Affected by 1 other vulnerability. Affected by 3 other vulnerabilities. |
|
VCID-tt6r-bytq-4fa4
Aliases: CVE-2012-2694 GHSA-q34c-48gc-m9g8 |
actionpack allows remote attackers to bypass database-query restrictions, perform NULL checks via crafted request `actionpack/lib/action_dispatch/http/request.rb` in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain `['xyz', nil]` values, a related issue to CVE-2012-2660. |
Affected by 51 other vulnerabilities. Affected by 51 other vulnerabilities. Affected by 54 other vulnerabilities. |
|
VCID-v3r3-bwp5-a3bn
Aliases: CVE-2016-0752 GHSA-xrr4-p6fq-hjg7 |
Path Traversal The Rails gem allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a `..` in a pathname. |
Affected by 30 other vulnerabilities. Affected by 29 other vulnerabilities. Affected by 28 other vulnerabilities. |
|
VCID-vgm2-8wjy-x7ed
Aliases: CVE-2008-7248 GHSA-8fqx-7pv4-3jwm |
Improper Input Validation Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain. |
Affected by 0 other vulnerabilities. Affected by 51 other vulnerabilities. |
|
VCID-wg3a-j2dp-ayh4
Aliases: CVE-2021-22904 GHSA-7wjx-3g7j-8584 |
Possible DoS Vulnerability in Action Controller Token Authentication There is a possible DoS vulnerability in the Token Authentication logic in Action Controller. Versions Affected: >= 4.0.0 Not affected: < 4.0.0 Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 Impact ------ Impacted code uses `authenticate_or_request_with_http_token` or `authenticate_with_http_token` for request authentication. Impacted code will look something like this: ``` class PostsController < ApplicationController before_action :authenticate private def authenticate authenticate_or_request_with_http_token do |token, options| # ... end end end ``` All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- The following monkey patch placed in an initializer can be used to work around the issue: ```ruby module ActionController::HttpAuthentication::Token AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/ end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 5-2-http-authentication-dos.patch - Patch for 5.2 series * 6-0-http-authentication-dos.patch - Patch for 6.0 series * 6-1-http-authentication-dos.patch - Patch for 6.1 series Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thank you to https://hackerone.com/wonda_tea_coffee for reporting this issue! |
Affected by 11 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-y8gn-9fat-e7d1
Aliases: GHSA-qf5x-qgx7-437h |
Moderate severity vulnerability that affects actionpack Withdrawn, accidental duplicate publish. Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request. |
Affected by 39 other vulnerabilities. Affected by 39 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-ynqu-cjn9-fqf2
Aliases: GHSA-vwfg-qj3r-6v3r |
Moderate severity vulnerability that affects actionpack Withdrawn, accidental duplicate publish. The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences. |
Affected by 30 other vulnerabilities. Affected by 29 other vulnerabilities. Affected by 28 other vulnerabilities. |
|
VCID-zkvd-bfd6-t7dg
Aliases: CVE-2014-7818 GHSA-29gr-w57f-rpfw |
Arbitrary file existence disclosure Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application's root directory. The files will not be served, but attackers can determine whether the file exists. This only impacts Rails applications that enable static file serving at runtime. For example, the application's production configuration will say: `config.serve_static_assets = true` |
Affected by 37 other vulnerabilities. Affected by 37 other vulnerabilities. Affected by 38 other vulnerabilities. Affected by 37 other vulnerabilities. Affected by 32 other vulnerabilities. Affected by 31 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||