Search for packages
| purl | pkg:rpm/redhat/rh-ror41-rubygem-actionpack@1:4.1.5-3?arch=el6 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-9hq5-3usy-5fhq
Aliases: CVE-2016-0751 GHSA-ffpv-c4hm-3x6v |
Possible Object Leak and Denial of Service attack A carefully crafted `Accept` header can cause a global cache of mime types to grow indefinitely which can lead to a possible denial of service attack in Action Pack. | There are no reported fixed by versions. |
|
VCID-bjwf-uhyk-63aj
Aliases: CVE-2015-7576 GHSA-p692-7mm3-3fxg |
Timing attack vulnerability in basic authentication Due to the way that Action Controller compares user names and passwords in basic authentication authorization code, it is possible for an attacker to analyze the time taken by a response and intuit the password. You can tell you application is vulnerable to this attack by looking for `http_basic_authenticate_with` method calls in your application. | There are no reported fixed by versions. |
|
VCID-d15q-6ukb-wfff
Aliases: CVE-2015-7581 GHSA-9h6g-gp95-x3q5 |
Object leak vulnerability for wildcard controller routes Users that have a route that contains the string `:controller` are susceptible to objects being leaked globally which can lead to unbounded memory growth. To identify if your application is vulnerable, look for routes that contain `:controller`. | There are no reported fixed by versions. |
|
VCID-pb5f-g4uc-r7fp
Aliases: CVE-2016-0753 GHSA-543v-gj2c-r3ch |
Possible Input Validation Circumvention Code that uses Active Model based models (including Active Record models) and does not validate user input before passing it to the model can be subject to an attack where specially crafted input will cause the model to skip validations. Rails users using Strong Parameters are generally not impacted by this issue as they are encouraged to allow parameters and must specifically opt-out of input verification using the `permit!` method to allow mass assignment. | There are no reported fixed by versions. |
|
VCID-thx6-usb2-kkgc
Aliases: CVE-2015-7577 GHSA-xrr6-3pc4-m447 |
Nested attributes rejection proc bypass When using the nested attributes feature in Active Record you can prevent the destruction of associated records by passing the `allow_destroy: false` option to the `accepts_nested_attributes_for` method. The `allow_destroy` flag prevents the `:reject_if` proc from being called because it assumes that the record will be destroyed anyway. However, this is not true if `:allow_destroy` is false so this leads to changes that would have been rejected being applied to the record. Attackers could set attributes to invalid values or clear all the attributes. | There are no reported fixed by versions. |
|
VCID-v3r3-bwp5-a3bn
Aliases: CVE-2016-0752 GHSA-xrr4-p6fq-hjg7 |
Path Traversal The Rails gem allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a `..` in a pathname. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||