Search for packages
| purl | pkg:gem/actionpack@4.2.5.0 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-4yst-m2tc-t3de
Aliases: GHSA-544j-77x9-h938 |
Moderate severity vulnerability that affects actionpack Withdrawn, accidental duplicate publish. actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in Ruby on Rails 4.x before 4.2.5.1 and 5.x before 5.0.0.beta1.1 allows remote attackers to cause a denial of service (superfluous caching and memory consumption) by leveraging an application's use of a wildcard controller route. |
Affected by 28 other vulnerabilities. |
|
VCID-9hq5-3usy-5fhq
Aliases: CVE-2016-0751 GHSA-ffpv-c4hm-3x6v |
Possible Object Leak and Denial of Service attack A carefully crafted `Accept` header can cause a global cache of mime types to grow indefinitely which can lead to a possible denial of service attack in Action Pack. |
Affected by 28 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-d15q-6ukb-wfff
Aliases: CVE-2015-7581 GHSA-9h6g-gp95-x3q5 |
Object leak vulnerability for wildcard controller routes Users that have a route that contains the string `:controller` are susceptible to objects being leaked globally which can lead to unbounded memory growth. To identify if your application is vulnerable, look for routes that contain `:controller`. |
Affected by 28 other vulnerabilities. |
|
VCID-h8gs-ansa-9bd9
Aliases: GHSA-m53f-rhq8-q6hf |
Moderate severity vulnerability that affects actionpack Withdrawn, accidental duplicate publish. actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header. |
Affected by 28 other vulnerabilities. |
|
VCID-v3r3-bwp5-a3bn
Aliases: CVE-2016-0752 GHSA-xrr4-p6fq-hjg7 |
Path Traversal The Rails gem allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a `..` in a pathname. |
Affected by 28 other vulnerabilities. |
|
VCID-ynqu-cjn9-fqf2
Aliases: GHSA-vwfg-qj3r-6v3r |
Moderate severity vulnerability that affects actionpack Withdrawn, accidental duplicate publish. The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences. |
Affected by 28 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T15:56:41.005768+00:00 | GHSA Importer | Affected by | VCID-ynqu-cjn9-fqf2 | https://github.com/advisories/GHSA-vwfg-qj3r-6v3r | 38.0.0 |
| 2026-04-01T15:56:40.642918+00:00 | GHSA Importer | Affected by | VCID-h8gs-ansa-9bd9 | https://github.com/advisories/GHSA-m53f-rhq8-q6hf | 38.0.0 |
| 2026-04-01T15:56:40.334949+00:00 | GHSA Importer | Affected by | VCID-4yst-m2tc-t3de | https://github.com/advisories/GHSA-544j-77x9-h938 | 38.0.0 |
| 2026-04-01T15:56:14.656936+00:00 | GHSA Importer | Affected by | VCID-d15q-6ukb-wfff | https://github.com/advisories/GHSA-9h6g-gp95-x3q5 | 38.0.0 |
| 2026-04-01T15:56:13.061093+00:00 | GHSA Importer | Affected by | VCID-v3r3-bwp5-a3bn | https://github.com/advisories/GHSA-xrr4-p6fq-hjg7 | 38.0.0 |
| 2026-04-01T15:56:12.495092+00:00 | GHSA Importer | Affected by | VCID-9hq5-3usy-5fhq | https://github.com/advisories/GHSA-ffpv-c4hm-3x6v | 38.0.0 |