{"url":"http://public2.vulnerablecode.io/api/packages/21995?format=json","purl":"pkg:gem/actionpack@4.1.14.2","type":"gem","namespace":"","name":"actionpack","version":"4.1.14.2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"7.0.8.7","latest_non_vulnerable_version":"8.1.2.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/33586?format=json","vulnerability_id":"VCID-1xgz-hwng-n3eq","summary":"Untrusted users can run pending migrations in production in Rails\nThere is a vulnerability in versions of Rails prior to 6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production.\n\nThis vulnerability has been assigned the CVE identifier CVE-2020-8185.\n\nVersions Affected:  6.0.0 < rails < 6.0.3.2\nNot affected:       Applications with `config.action_dispatch.show_exceptions = false` (this is not a default setting in production)\nFixed Versions:     rails >= 6.0.3.2\n\nImpact\n------\n\nUsing this issue, an attacker would be able to execute any migrations that are pending for a Rails app running in production mode. It is important to note that an attacker is limited to running migrations the application developer has already defined in their application and ones that have not already run.\n\nWorkarounds\n-----------\n\nUntil such time as the patch can be applied, application developers should disable the ActionDispatch middleware in their production environment via a line such as this one in their config/environment/production.rb:\n\n`config.middleware.delete ActionDispatch::ActionableExceptions`","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8185.json","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8185.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8185","reference_id":"","reference_type":"","scores":[{"value":"0.00679","scoring_system":"epss","scoring_elements":"0.71592","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00679","scoring_system":"epss","scoring_elements":"0.71509","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00679","scoring_system":"epss","scoring_elements":"0.71515","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00679","scoring_system":"epss","scoring_elements":"0.71532","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00679","scoring_system":"epss","scoring_elements":"0.71505","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00679","scoring_system":"epss","scoring_elements":"0.71545","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00679","scoring_system":"epss","scoring_elements":"0.71557","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00679","scoring_system":"epss","scoring_elements":"0.7158","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00679","scoring_system":"epss","scoring_elements":"0.71564","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00679","scoring_system":"epss","scoring_elements":"0.71546","published_at":"2026-04-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8185"},{"reference_url":"https://github.com/rails/rails/commit/2121b9d20b60ed503aa041ef7b926d331ed79fc2","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/2121b9d20b60ed503aa041ef7b926d331ed79fc2"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8185.yml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8185.yml"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/pAe9EV8gbM0","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/pAe9EV8gbM0"},{"reference_url":"https://hackerone.com/reports/899069","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/899069"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8185","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8185"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1852380","reference_id":"1852380","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1852380"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964081","reference_id":"964081","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964081"},{"reference_url":"https://github.com/advisories/GHSA-c6qr-h5vq-59jc","reference_id":"GHSA-c6qr-h5vq-59jc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c6qr-h5vq-59jc"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:1313","reference_id":"RHSA-2021:1313","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:1313"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73394?format=json","purl":"pkg:gem/actionpack@6.0.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12x8-jxdf-jqdz"},{"vulnerability":"VCID-1bxs-yghe-cyck"},{"vulnerability":"VCID-1x8k-t8mr-3fgp"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-ce39-j83r-6ug9"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-gjey-bqtd-kqa1"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-msda-xqbp-qfdd"},{"vulnerability":"VCID-p5mc-r1rg-5ff7"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"},{"vulnerability":"VCID-wyy6-h8bq-vyde"},{"vulnerability":"VCID-zy7d-3db6-sydw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.3.2"}],"aliases":["CVE-2020-8185","GHSA-c6qr-h5vq-59jc"],"risk_score":3.2,"exploitability":"0.5","weighted_severity":"6.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1xgz-hwng-n3eq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8400?format=json","vulnerability_id":"VCID-3zdr-vasc-a7cn","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nCross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.","references":[{"reference_url":"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063"},{"reference_url":"http://groups.google.com/group/rubyonrails-security/msg/7f57cd7794e1d1b4?dmode=source","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://groups.google.com/group/rubyonrails-security/msg/7f57cd7794e1d1b4?dmode=source"},{"reference_url":"http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-3009.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-3009.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-3009","reference_id":"","reference_type":"","scores":[{"value":"0.01632","scoring_system":"epss","scoring_elements":"0.81937","published_at":"2026-04-16T12:55:00Z"},{"value":"0.01632","scoring_system":"epss","scoring_elements":"0.81837","published_at":"2026-04-01T12:55:00Z"},{"value":"0.01632","scoring_system":"epss","scoring_elements":"0.81848","published_at":"2026-04-02T12:55:00Z"},{"value":"0.01632","scoring_system":"epss","scoring_elements":"0.8187","published_at":"2026-04-04T12:55:00Z"},{"value":"0.01632","scoring_system":"epss","scoring_elements":"0.81866","published_at":"2026-04-07T12:55:00Z"},{"value":"0.01632","scoring_system":"epss","scoring_elements":"0.81893","published_at":"2026-04-08T12:55:00Z"},{"value":"0.01632","scoring_system":"epss","scoring_elements":"0.81899","published_at":"2026-04-09T12:55:00Z"},{"value":"0.01632","scoring_system":"epss","scoring_elements":"0.81919","published_at":"2026-04-11T12:55:00Z"},{"value":"0.01632","scoring_system":"epss","scoring_elements":"0.81907","published_at":"2026-04-12T12:55:00Z"},{"value":"0.01632","scoring_system":"epss","scoring_elements":"0.81902","published_at":"2026-04-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-3009"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3009","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3009"},{"reference_url":"http://secunia.com/advisories/36600","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://secunia.com/advisories/36600"},{"reference_url":"http://secunia.com/advisories/36717","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://secunia.com/advisories/36717"},{"reference_url":"http://securitytracker.com/id?1022824","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://securitytracker.com/id?1022824"},{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/53036","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/53036"},{"reference_url":"http://support.apple.com/kb/HT4077","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://support.apple.com/kb/HT4077"},{"reference_url":"http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails"},{"reference_url":"http://www.debian.org/security/2009/dsa-1887","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2009/dsa-1887"},{"reference_url":"http://www.osvdb.org/57666","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.osvdb.org/57666"},{"reference_url":"http://www.securityfocus.com/bid/36278","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/36278"},{"reference_url":"http://www.vupen.com/english/advisories/2009/2544","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.vupen.com/english/advisories/2009/2544"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=520843","reference_id":"520843","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=520843"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063","reference_id":"545063","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2009-3009","reference_id":"CVE-2009-3009","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2009-3009"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2009-3009.yml","reference_id":"CVE-2009-3009.YML","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2009-3009.yml"},{"reference_url":"https://github.com/advisories/GHSA-8qrh-h9m2-5fvf","reference_id":"GHSA-8qrh-h9m2-5fvf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8qrh-h9m2-5fvf"},{"reference_url":"https://security.gentoo.org/glsa/200912-02","reference_id":"GLSA-200912-02","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/200912-02"}],"fixed_packages":[],"aliases":["CVE-2009-3009","GHSA-8qrh-h9m2-5fvf","OSV-57666"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3zdr-vasc-a7cn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8439?format=json","vulnerability_id":"VCID-49pq-vg95-jkh2","summary":"Cross-Site Request Forgery (CSRF)\nRuby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage \"combinations of browser plugins and HTTP redirects,\" a related issue to CVE-2011-0696.","references":[{"reference_url":"http://groups.google.com/group/rubyonrails-security/msg/c22ea1668c0d181c?dmode=source&output=gplain","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://groups.google.com/group/rubyonrails-security/msg/c22ea1668c0d181c?dmode=source&output=gplain"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2011-0447","reference_id":"","reference_type":"","scores":[{"value":"0.00991","scoring_system":"epss","scoring_elements":"0.76907","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00991","scoring_system":"epss","scoring_elements":"0.76879","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00991","scoring_system":"epss","scoring_elements":"0.76868","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00991","scoring_system":"epss","scoring_elements":"0.76837","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00991","scoring_system":"epss","scoring_elements":"0.76857","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00991","scoring_system":"epss","scoring_elements":"0.76822","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00991","scoring_system":"epss","scoring_elements":"0.76922","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00991","scoring_system":"epss","scoring_elements":"0.7688","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00991","scoring_system":"epss","scoring_elements":"0.76886","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00991","scoring_system":"epss","scoring_elements":"0.76828","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2011-0447"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0447","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0447"},{"reference_url":"http://secunia.com/advisories/43274","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/43274"},{"reference_url":"http://secunia.com/advisories/43666","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/43666"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/66ce3843d32e9f2ac3b1da20067af53019bbb034","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/66ce3843d32e9f2ac3b1da20067af53019bbb034"},{"reference_url":"https://github.com/rails/rails/commit/7e86f9b4d2b7dfa974c10ae7e6d8ef90f3d77f06","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/7e86f9b4d2b7dfa974c10ae7e6d8ef90f3d77f06"},{"reference_url":"https://web.archive.org/web/20120527023027/http://www.securityfocus.com/bid/46291","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20120527023027/http://www.securityfocus.com/bid/46291"},{"reference_url":"https://web.archive.org/web/20170223045008/http://www.securitytracker.com/id?1025060","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20170223045008/http://www.securitytracker.com/id?1025060"},{"reference_url":"http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails"},{"reference_url":"http://www.debian.org/security/2011/dsa-2247","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2011/dsa-2247"},{"reference_url":"http://www.securityfocus.com/bid/46291","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/46291"},{"reference_url":"http://www.securitytracker.com/id?1025060","reference_id":"","reference_type":"","scores":[],"url":"http://www.securitytracker.com/id?1025060"},{"reference_url":"http://www.vupen.com/english/advisories/2011/0587","reference_id":"","reference_type":"","scores":[],"url":"http://www.vupen.com/english/advisories/2011/0587"},{"reference_url":"http://www.vupen.com/english/advisories/2011/0877","reference_id":"","reference_type":"","scores":[],"url":"http://www.vupen.com/english/advisories/2011/0877"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614864","reference_id":"614864","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614864"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2011-0447","reference_id":"CVE-2011-0447","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:M/Au:N/C:P/I:P/A:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2011-0447"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-0447.yml","reference_id":"CVE-2011-0447.YML","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-0447.yml"},{"reference_url":"https://github.com/advisories/GHSA-24fg-p96v-hxh8","reference_id":"GHSA-24fg-p96v-hxh8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-24fg-p96v-hxh8"},{"reference_url":"https://security.gentoo.org/glsa/201412-28","reference_id":"GLSA-201412-28","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201412-28"}],"fixed_packages":[],"aliases":["CVE-2011-0447","GHSA-24fg-p96v-hxh8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-49pq-vg95-jkh2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/16106?format=json","vulnerability_id":"VCID-63gy-6njy-kbd8","summary":"ReDoS based DoS vulnerability in Action Dispatch\nThere is a possible regular expression based DoS vulnerability in Action Dispatch. Specially crafted cookies, in combination with a specially crafted `X_FORWARDED_HOST` header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22792.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22792.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22792","reference_id":"","reference_type":"","scores":[{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85729","published_at":"2026-04-16T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85707","published_at":"2026-04-13T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85711","published_at":"2026-04-12T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85715","published_at":"2026-04-11T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85701","published_at":"2026-04-09T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85689","published_at":"2026-04-08T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85646","published_at":"2026-04-02T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.8567","published_at":"2026-04-07T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85663","published_at":"2026-04-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22792"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/"}],"url":"https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/releases/tag/v7.0.4.1","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v7.0.4.1"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22792.yml","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22792.yml"},{"reference_url":"https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240202-0007","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20240202-0007"},{"reference_url":"https://www.debian.org/security/2023/dsa-5372","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/"}],"url":"https://www.debian.org/security/2023/dsa-5372"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050","reference_id":"1030050","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2164800","reference_id":"2164800","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2164800"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22792","reference_id":"CVE-2023-22792","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22792"},{"reference_url":"https://github.com/advisories/GHSA-p84v-45xj-wwqj","reference_id":"GHSA-p84v-45xj-wwqj","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p84v-45xj-wwqj"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240202-0007/","reference_id":"ntap-20240202-0007","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/"}],"url":"https://security.netapp.com/advisory/ntap-20240202-0007/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:6818","reference_id":"RHSA-2023:6818","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:6818"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/136930?format=json","purl":"pkg:gem/actionpack@5.2.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@5.2.8"},{"url":"http://public2.vulnerablecode.io/api/packages/71452?format=json","purl":"pkg:gem/actionpack@5.2.8.15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@5.2.8.15"},{"url":"http://public2.vulnerablecode.io/api/packages/55418?format=json","purl":"pkg:gem/actionpack@6.1.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.7.1"},{"url":"http://public2.vulnerablecode.io/api/packages/55815?format=json","purl":"pkg:gem/actionpack@7.0.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bh7-drnb-7ygg"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.4.1"}],"aliases":["CVE-2023-22792","GHSA-p84v-45xj-wwqj","GMS-2023-58"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-63gy-6njy-kbd8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8465?format=json","vulnerability_id":"VCID-6j55-bstz-yybj","summary":"High severity vulnerability that affects actionpack\nactionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.4, when a case-insensitive filesystem is used, does not properly implement filters associated with the list of available templates, which allows remote attackers to bypass intended access restrictions via an action name that uses an unintended case for alphabetic characters.","references":[{"reference_url":"http://groups.google.com/group/rubyonrails-security/msg/04345b2e84df5b4f?dmode=source&output=gplain","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://groups.google.com/group/rubyonrails-security/msg/04345b2e84df5b4f?dmode=source&output=gplain"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2011-0449","reference_id":"","reference_type":"","scores":[{"value":"0.00555","scoring_system":"epss","scoring_elements":"0.68141","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00555","scoring_system":"epss","scoring_elements":"0.68064","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00555","scoring_system":"epss","scoring_elements":"0.68083","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00555","scoring_system":"epss","scoring_elements":"0.68062","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00555","scoring_system":"epss","scoring_elements":"0.68113","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00555","scoring_system":"epss","scoring_elements":"0.68128","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00555","scoring_system":"epss","scoring_elements":"0.68152","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00555","scoring_system":"epss","scoring_elements":"0.68138","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00555","scoring_system":"epss","scoring_elements":"0.68105","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00555","scoring_system":"epss","scoring_elements":"0.68042","published_at":"2026-04-01T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2011-0449"},{"reference_url":"http://secunia.com/advisories/43278","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/43278"},{"reference_url":"http://securitytracker.com/id?1025061","reference_id":"","reference_type":"","scores":[],"url":"http://securitytracker.com/id?1025061"},{"reference_url":"https://github.com/rails/rails/commit/6f80224057803f85b3f448936aae89e742452c3b","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/6f80224057803f85b3f448936aae89e742452c3b"},{"reference_url":"https://github.com/rails/rails/tree/main/actionpack","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/tree/main/actionpack"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-0449.yml","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-0449.yml"},{"reference_url":"https://web.archive.org/web/20201207190612/http://securitytracker.com/id?1025061","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20201207190612/http://securitytracker.com/id?1025061"},{"reference_url":"http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4"},{"reference_url":"http://www.vupen.com/english/advisories/2011/0877","reference_id":"","reference_type":"","scores":[],"url":"http://www.vupen.com/english/advisories/2011/0877"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2011-0449","reference_id":"CVE-2011-0449","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:N/C:P/I:P/A:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2011-0449"},{"reference_url":"https://github.com/advisories/GHSA-4ww3-3rxj-8v6q","reference_id":"GHSA-4ww3-3rxj-8v6q","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4ww3-3rxj-8v6q"},{"reference_url":"https://security.gentoo.org/glsa/201412-28","reference_id":"GLSA-201412-28","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201412-28"}],"fixed_packages":[],"aliases":["CVE-2011-0449","GHSA-4ww3-3rxj-8v6q"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6j55-bstz-yybj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8411?format=json","vulnerability_id":"VCID-7f5r-9h1g-nuch","summary":"Exposure of Sensitive Information to an Unauthorized Actor\nA certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-3086","reference_id":"","reference_type":"","scores":[{"value":"0.00556","scoring_system":"epss","scoring_elements":"0.68185","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00556","scoring_system":"epss","scoring_elements":"0.68147","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00556","scoring_system":"epss","scoring_elements":"0.6818","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00556","scoring_system":"epss","scoring_elements":"0.68194","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00556","scoring_system":"epss","scoring_elements":"0.68169","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00556","scoring_system":"epss","scoring_elements":"0.68154","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00556","scoring_system":"epss","scoring_elements":"0.68102","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00556","scoring_system":"epss","scoring_elements":"0.68125","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00556","scoring_system":"epss","scoring_elements":"0.68107","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00556","scoring_system":"epss","scoring_elements":"0.68084","published_at":"2026-04-01T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-3086"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3086","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3086"},{"reference_url":"http://secunia.com/advisories/36600","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/36600"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/1f07a89c5946910fc28ea5ccd1da6af8a0f972a0","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/1f07a89c5946910fc28ea5ccd1da6af8a0f972a0"},{"reference_url":"https://github.com/rails/rails/commit/674f780d59a5a7ec0301755d43a7b277a3ad2978","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/674f780d59a5a7ec0301755d43a7b277a3ad2978"},{"reference_url":"https://github.com/rails/rails/commit/d460c9a25560f43e7c3789abadf7b455053eb686","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/d460c9a25560f43e7c3789abadf7b455053eb686"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2009-3086.yml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2009-3086.yml"},{"reference_url":"https://web.archive.org/web/20090906010200/http://www.vupen.com/english/advisories/2009/2544","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20090906010200/http://www.vupen.com/english/advisories/2009/2544"},{"reference_url":"https://web.archive.org/web/20090907001716/http://secunia.com/advisories/36600","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20090907001716/http://secunia.com/advisories/36600"},{"reference_url":"https://web.archive.org/web/20200229150042/http://www.securityfocus.com/bid/37427","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200229150042/http://www.securityfocus.com/bid/37427"},{"reference_url":"http://weblog.rubyonrails.org/2009/9/4/timing-weakness-in-ruby-on-rails","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2009/9/4/timing-weakness-in-ruby-on-rails"},{"reference_url":"http://www.debian.org/security/2011/dsa-2260","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2011/dsa-2260"},{"reference_url":"http://www.securityfocus.com/bid/37427","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/37427"},{"reference_url":"http://www.vupen.com/english/advisories/2009/2544","reference_id":"","reference_type":"","scores":[],"url":"http://www.vupen.com/english/advisories/2009/2544"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063","reference_id":"545063","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2009-3086","reference_id":"CVE-2009-3086","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2009-3086"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2009-3086.yml","reference_id":"CVE-2009-3086.YML","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2009-3086.yml"},{"reference_url":"https://github.com/advisories/GHSA-fg9w-g6m4-557j","reference_id":"GHSA-fg9w-g6m4-557j","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fg9w-g6m4-557j"},{"reference_url":"https://security.gentoo.org/glsa/200912-02","reference_id":"GLSA-200912-02","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/200912-02"}],"fixed_packages":[],"aliases":["CVE-2009-3086","GHSA-fg9w-g6m4-557j"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7f5r-9h1g-nuch"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/33938?format=json","vulnerability_id":"VCID-a6sp-18av-wya6","summary":"Possible Strong Parameters Bypass in ActionPack\nThere is a strong parameters bypass vector in ActionPack.\n\nVersions Affected:  rails <= 6.0.3\nNot affected:       rails < 5.0.0\nFixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1\n\nImpact\n------\nIn some cases user supplied information can be inadvertently leaked from\nStrong Parameters.  Specifically the return value of `each`, or `each_value`,\nor `each_pair` will return the underlying \"untrusted\" hash of data that was\nread from the parameters.  Applications that use this return value may be\ninadvertently use untrusted user input.\n\nImpacted code will look something like this:\n\n```\ndef update\n  # Attacker has included the parameter: `{ is_admin: true }`\n  User.update(clean_up_params)\nend\n\ndef clean_up_params\n   params.each { |k, v|  SomeModel.check(v) if k == :name }\nend\n```\n\nNote the mistaken use of `each` in the `clean_up_params` method in the above\nexample.\n\nWorkarounds\n-----------\nDo not use the return values of `each`, `each_value`, or `each_pair` in your\napplication.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8164.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8164.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8164","reference_id":"","reference_type":"","scores":[{"value":"0.07389","scoring_system":"epss","scoring_elements":"0.91752","published_at":"2026-04-16T12:55:00Z"},{"value":"0.07389","scoring_system":"epss","scoring_elements":"0.9169","published_at":"2026-04-01T12:55:00Z"},{"value":"0.07389","scoring_system":"epss","scoring_elements":"0.91698","published_at":"2026-04-02T12:55:00Z"},{"value":"0.07389","scoring_system":"epss","scoring_elements":"0.91703","published_at":"2026-04-04T12:55:00Z"},{"value":"0.07389","scoring_system":"epss","scoring_elements":"0.91712","published_at":"2026-04-07T12:55:00Z"},{"value":"0.07389","scoring_system":"epss","scoring_elements":"0.91724","published_at":"2026-04-08T12:55:00Z"},{"value":"0.07389","scoring_system":"epss","scoring_elements":"0.91731","published_at":"2026-04-09T12:55:00Z"},{"value":"0.07389","scoring_system":"epss","scoring_elements":"0.91734","published_at":"2026-04-11T12:55:00Z"},{"value":"0.07389","scoring_system":"epss","scoring_elements":"0.91736","published_at":"2026-04-12T12:55:00Z"},{"value":"0.07389","scoring_system":"epss","scoring_elements":"0.91732","published_at":"2026-04-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8164"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8164.yml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8164.yml"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY"},{"reference_url":"https://hackerone.com/reports/292797","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/292797"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8164","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8164"},{"reference_url":"https://www.debian.org/security/2020/dsa-4766","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2020/dsa-4766"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1842634","reference_id":"1842634","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1842634"},{"reference_url":"https://github.com/advisories/GHSA-8727-m6gj-mc37","reference_id":"GHSA-8727-m6gj-mc37","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8727-m6gj-mc37"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:1313","reference_id":"RHSA-2021:1313","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:1313"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73549?format=json","purl":"pkg:gem/actionpack@5.2.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xgz-hwng-n3eq"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-ce39-j83r-6ug9"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-gjey-bqtd-kqa1"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-msda-xqbp-qfdd"},{"vulnerability":"VCID-p5mc-r1rg-5ff7"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@5.2.4.3"},{"url":"http://public2.vulnerablecode.io/api/packages/73550?format=json","purl":"pkg:gem/actionpack@6.0.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12x8-jxdf-jqdz"},{"vulnerability":"VCID-1bxs-yghe-cyck"},{"vulnerability":"VCID-1x8k-t8mr-3fgp"},{"vulnerability":"VCID-1xgz-hwng-n3eq"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-ce39-j83r-6ug9"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-gjey-bqtd-kqa1"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-msda-xqbp-qfdd"},{"vulnerability":"VCID-p5mc-r1rg-5ff7"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"},{"vulnerability":"VCID-wyy6-h8bq-vyde"},{"vulnerability":"VCID-zy7d-3db6-sydw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.3.1"}],"aliases":["CVE-2020-8164","GHSA-8727-m6gj-mc37"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a6sp-18av-wya6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8408?format=json","vulnerability_id":"VCID-cdnw-t8n1-23ep","summary":"Improper Input Validation\nThe to_s method in actionpack/lib/action_dispatch/middleware/remote_ip.rb in Ruby on Rails 3.0.5 does not validate the X-Forwarded-For header in requests from IP addresses on a Class C network, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header.","references":[{"reference_url":"http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0337.html","reference_id":"","reference_type":"","scores":[],"url":"http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0337.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2011-3187","reference_id":"","reference_type":"","scores":[{"value":"0.09049","scoring_system":"epss","scoring_elements":"0.92606","published_at":"2026-04-01T12:55:00Z"},{"value":"0.09049","scoring_system":"epss","scoring_elements":"0.92653","published_at":"2026-04-16T12:55:00Z"},{"value":"0.09049","scoring_system":"epss","scoring_elements":"0.9264","published_at":"2026-04-13T12:55:00Z"},{"value":"0.09049","scoring_system":"epss","scoring_elements":"0.92636","published_at":"2026-04-09T12:55:00Z"},{"value":"0.09049","scoring_system":"epss","scoring_elements":"0.9263","published_at":"2026-04-08T12:55:00Z"},{"value":"0.09049","scoring_system":"epss","scoring_elements":"0.92619","published_at":"2026-04-07T12:55:00Z"},{"value":"0.09049","scoring_system":"epss","scoring_elements":"0.92612","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2011-3187"},{"reference_url":"https://bugzilla.novell.com/show_bug.cgi?id=673010","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bugzilla.novell.com/show_bug.cgi?id=673010"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3187","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3187"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-3187.yml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-3187.yml"},{"reference_url":"https://web.archive.org/web/20111209181000/http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0337.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20111209181000/http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0337.html"},{"reference_url":"http://webservsec.blogspot.com/2011/02/ruby-on-rails-vulnerability.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://webservsec.blogspot.com/2011/02/ruby-on-rails-vulnerability.html"},{"reference_url":"http://www.openwall.com/lists/oss-security/2011/08/17/1","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2011/08/17/1"},{"reference_url":"http://www.openwall.com/lists/oss-security/2011/08/19/11","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2011/08/19/11"},{"reference_url":"http://www.openwall.com/lists/oss-security/2011/08/20/1","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2011/08/20/1"},{"reference_url":"http://www.openwall.com/lists/oss-security/2011/08/22/13","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2011/08/22/13"},{"reference_url":"http://www.openwall.com/lists/oss-security/2011/08/22/14","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2011/08/22/14"},{"reference_url":"http://www.openwall.com/lists/oss-security/2011/08/22/5","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2011/08/22/5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2011-3187","reference_id":"CVE-2011-3187","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2011-3187"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/35352.rb","reference_id":"CVE-2011-3187;OSVDB-73733","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/35352.rb"},{"reference_url":"https://www.securityfocus.com/bid/46423/info","reference_id":"CVE-2011-3187;OSVDB-73733","reference_type":"exploit","scores":[],"url":"https://www.securityfocus.com/bid/46423/info"},{"reference_url":"https://github.com/advisories/GHSA-3vfw-7rcp-3xgm","reference_id":"GHSA-3vfw-7rcp-3xgm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3vfw-7rcp-3xgm"}],"fixed_packages":[],"aliases":["CVE-2011-3187","GHSA-3vfw-7rcp-3xgm"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cdnw-t8n1-23ep"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8392?format=json","vulnerability_id":"VCID-cnqr-6e98-5kgk","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nMultiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value.","references":[{"reference_url":"http://groups.google.com/group/rubyonrails-security/msg/365b8a23b76a6b4a?dmode=source&output=gplain","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://groups.google.com/group/rubyonrails-security/msg/365b8a23b76a6b4a?dmode=source&output=gplain"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2011-0446","reference_id":"","reference_type":"","scores":[{"value":"0.0067","scoring_system":"epss","scoring_elements":"0.71366","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0067","scoring_system":"epss","scoring_elements":"0.71274","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0067","scoring_system":"epss","scoring_elements":"0.71282","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0067","scoring_system":"epss","scoring_elements":"0.713","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0067","scoring_system":"epss","scoring_elements":"0.71316","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0067","scoring_system":"epss","scoring_elements":"0.71329","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0067","scoring_system":"epss","scoring_elements":"0.71352","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0067","scoring_system":"epss","scoring_elements":"0.71337","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0067","scoring_system":"epss","scoring_elements":"0.7132","published_at":"2026-04-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2011-0446"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0446","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0446"},{"reference_url":"http://secunia.com/advisories/43274","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/43274"},{"reference_url":"http://secunia.com/advisories/43666","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/43666"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/abe97736b8316f1b714cac56c115c0779aa73217","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/abe97736b8316f1b714cac56c115c0779aa73217"},{"reference_url":"https://github.com/rails/rails/commit/e3dd2107c57a8efaaea5d61cf8da65f7444760b2","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/e3dd2107c57a8efaaea5d61cf8da65f7444760b2"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/8CpI7egxX4E/m/SmtqtyOKWzYJ","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/8CpI7egxX4E/m/SmtqtyOKWzYJ"},{"reference_url":"https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43274","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43274"},{"reference_url":"https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43666","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43666"},{"reference_url":"https://web.archive.org/web/20120527023027/http://www.securityfocus.com/bid/46291","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20120527023027/http://www.securityfocus.com/bid/46291"},{"reference_url":"https://web.archive.org/web/20200812054342/http://www.securitytracker.com/id?1025064","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200812054342/http://www.securitytracker.com/id?1025064"},{"reference_url":"http://www.debian.org/security/2011/dsa-2247","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2011/dsa-2247"},{"reference_url":"http://www.securityfocus.com/bid/46291","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/46291"},{"reference_url":"http://www.securitytracker.com/id?1025064","reference_id":"","reference_type":"","scores":[],"url":"http://www.securitytracker.com/id?1025064"},{"reference_url":"http://www.vupen.com/english/advisories/2011/0587","reference_id":"","reference_type":"","scores":[],"url":"http://www.vupen.com/english/advisories/2011/0587"},{"reference_url":"http://www.vupen.com/english/advisories/2011/0877","reference_id":"","reference_type":"","scores":[],"url":"http://www.vupen.com/english/advisories/2011/0877"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614864","reference_id":"614864","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614864"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2011-0446","reference_id":"CVE-2011-0446","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:M/Au:N/C:N/I:P/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2011-0446"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-0446.yml","reference_id":"CVE-2011-0446.YML","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-0446.yml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2011-0446.yml","reference_id":"CVE-2011-0446.YML","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2011-0446.yml"},{"reference_url":"https://github.com/advisories/GHSA-75w6-p6mg-vh8j","reference_id":"GHSA-75w6-p6mg-vh8j","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-75w6-p6mg-vh8j"},{"reference_url":"https://security.gentoo.org/glsa/201412-28","reference_id":"GLSA-201412-28","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201412-28"}],"fixed_packages":[],"aliases":["CVE-2011-0446","GHSA-75w6-p6mg-vh8j"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cnqr-6e98-5kgk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/18130?format=json","vulnerability_id":"VCID-dd9p-x7k3-37ea","summary":"Actionpack has possible cross-site scripting vulnerability via User Supplied Values to redirect_to\nThe `redirect_to` method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. This vulnerability has been assigned the CVE identifier CVE-2023-28362.\n\nVersions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28362.json","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28362.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-28362","reference_id":"","reference_type":"","scores":[{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.45215","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.45164","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.45162","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.45194","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.45174","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.45173","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.45177","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.4512","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.45155","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-28362"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28362","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28362"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3","scoring_elements":""},{"value":"4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/"}],"url":"https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/"}],"url":"https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441"},{"reference_url":"https://github.com/rails/rails/commit/69e37c84e3f77d75566424c7d0015172d6a6fac5","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/"}],"url":"https://github.com/rails/rails/commit/69e37c84e3f77d75566424c7d0015172d6a6fac5"},{"reference_url":"https://github.com/rails/rails/commit/c9ab9b32bcdcfd8bcd55907f6c7b20b4e004cc23","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/c9ab9b32bcdcfd8bcd55907f6c7b20b4e004cc23"},{"reference_url":"https://security.netapp.com/advisory/ntap-20250502-0009","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20250502-0009"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051058","reference_id":"1051058","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051058"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2217785","reference_id":"2217785","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2217785"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28362","reference_id":"CVE-2023-28362","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28362"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-28362.yml","reference_id":"CVE-2023-28362.YML","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-28362.yml"},{"reference_url":"https://github.com/advisories/GHSA-4g8v-vg43-wpgf","reference_id":"GHSA-4g8v-vg43-wpgf","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/"}],"url":"https://github.com/advisories/GHSA-4g8v-vg43-wpgf"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:7851","reference_id":"RHSA-2023:7851","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:7851"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58478?format=json","purl":"pkg:gem/actionpack@6.1.7.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.7.4"},{"url":"http://public2.vulnerablecode.io/api/packages/58479?format=json","purl":"pkg:gem/actionpack@7.0.5.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bh7-drnb-7ygg"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.5.1"}],"aliases":["CVE-2023-28362","GHSA-4g8v-vg43-wpgf"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dd9p-x7k3-37ea"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/15032?format=json","vulnerability_id":"VCID-ehbj-aezy-d7h4","summary":"Rails has possible ReDoS vulnerability in Accept header parsing in Action Dispatch\n# Possible ReDoS vulnerability in Accept header parsing in Action Dispatch\n\nThere is a possible ReDoS vulnerability in the Accept header parsing routines\nof Action Dispatch. This vulnerability has been assigned the CVE identifier\nCVE-2024-26142.\n\nVersions Affected:  >= 7.1.0, < 7.1.3.1\nNot affected:       < 7.1.0\nFixed Versions:     7.1.3.1\n\nImpact\n------\nCarefully crafted Accept headers can cause Accept header parsing in Action\nDispatch to take an unexpected amount of time, possibly resulting in a DoS\nvulnerability.  All users running an affected release should either upgrade or\nuse one of the workarounds immediately.\n\nRuby 3.2 has mitigations for this problem, so Rails applications using Ruby\n3.2 or newer are unaffected.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nThere are no feasible workarounds for this issue.\n\nPatches\n-------\nTo aid users who aren't able to upgrade immediately we have provided patches for\nthe two supported release series. They are in git-am format and consist of a\nsingle changeset.\n\n* 7-1-accept-redox.patch - Patch for 7.1 series\n\nCredits\n-------\nThanks [svalkanov](https://hackerone.com/svalkanov) for the report and patch!","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26142.json","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26142.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-26142","reference_id":"","reference_type":"","scores":[{"value":"0.03542","scoring_system":"epss","scoring_elements":"0.87692","published_at":"2026-04-16T12:55:00Z"},{"value":"0.03542","scoring_system":"epss","scoring_elements":"0.87677","published_at":"2026-04-13T12:55:00Z"},{"value":"0.03542","scoring_system":"epss","scoring_elements":"0.8768","published_at":"2026-04-12T12:55:00Z"},{"value":"0.03542","scoring_system":"epss","scoring_elements":"0.87685","published_at":"2026-04-11T12:55:00Z"},{"value":"0.03542","scoring_system":"epss","scoring_elements":"0.87632","published_at":"2026-04-02T12:55:00Z"},{"value":"0.03542","scoring_system":"epss","scoring_elements":"0.87647","published_at":"2026-04-07T12:55:00Z"},{"value":"0.03542","scoring_system":"epss","scoring_elements":"0.87645","published_at":"2026-04-04T12:55:00Z"},{"value":"0.03542","scoring_system":"epss","scoring_elements":"0.87674","published_at":"2026-04-09T12:55:00Z"},{"value":"0.03542","scoring_system":"epss","scoring_elements":"0.87667","published_at":"2026-04-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-26142"},{"reference_url":"https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/"}],"url":"https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/"}],"url":"https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272"},{"reference_url":"https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/"}],"url":"https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/"}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26142","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26142"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2266324","reference_id":"2266324","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2266324"},{"reference_url":"https://github.com/advisories/GHSA-jjhx-jhvp-74wq","reference_id":"GHSA-jjhx-jhvp-74wq","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jjhx-jhvp-74wq"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240503-0003/","reference_id":"ntap-20240503-0003","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/"}],"url":"https://security.netapp.com/advisory/ntap-20240503-0003/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52891?format=json","purl":"pkg:gem/actionpack@7.1.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.3.1"}],"aliases":["CVE-2024-26142","GHSA-jjhx-jhvp-74wq"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ehbj-aezy-d7h4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14522?format=json","vulnerability_id":"VCID-g3rk-djae-pkeh","summary":"Possible Content Security Policy bypass in Action Dispatch\nThere is a possible Cross Site Scripting (XSS) vulnerability  in the `content_security_policy` helper in Action Pack.\n\nImpact\n------\nApplications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nApplications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.\n\nCredits\n-------\nThanks to [ryotak](https://hackerone.com/ryotak) for the report!","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-54133.json","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-54133.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-54133","reference_id":"","reference_type":"","scores":[{"value":"0.00122","scoring_system":"epss","scoring_elements":"0.31424","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00122","scoring_system":"epss","scoring_elements":"0.31466","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0019","scoring_system":"epss","scoring_elements":"0.40871","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0019","scoring_system":"epss","scoring_elements":"0.40906","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0019","scoring_system":"epss","scoring_elements":"0.40834","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0019","scoring_system":"epss","scoring_elements":"0.4089","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0019","scoring_system":"epss","scoring_elements":"0.40883","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0019","scoring_system":"epss","scoring_elements":"0.40895","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0019","scoring_system":"epss","scoring_elements":"0.40852","published_at":"2026-04-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-54133"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54133","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54133"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/"}],"url":"https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49"},{"reference_url":"https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/"}],"url":"https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a"},{"reference_url":"https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/"}],"url":"https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542"},{"reference_url":"https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/"}],"url":"https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d"},{"reference_url":"https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/"}],"url":"https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-54133.yml","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-54133.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-54133","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-54133"},{"reference_url":"https://security.netapp.com/advisory/ntap-20250306-0010","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20250306-0010"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089755","reference_id":"1089755","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089755"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2331619","reference_id":"2331619","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2331619"},{"reference_url":"https://github.com/advisories/GHSA-vfm5-rmrh-j26v","reference_id":"GHSA-vfm5-rmrh-j26v","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vfm5-rmrh-j26v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/50946?format=json","purl":"pkg:gem/actionpack@7.0.8.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.8.7"},{"url":"http://public2.vulnerablecode.io/api/packages/139138?format=json","purl":"pkg:gem/actionpack@7.1.0.beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.0.beta1"},{"url":"http://public2.vulnerablecode.io/api/packages/50947?format=json","purl":"pkg:gem/actionpack@7.1.5.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.5.1"},{"url":"http://public2.vulnerablecode.io/api/packages/58922?format=json","purl":"pkg:gem/actionpack@7.2.0.beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.0.beta1"},{"url":"http://public2.vulnerablecode.io/api/packages/50948?format=json","purl":"pkg:gem/actionpack@7.2.2.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.2.1"},{"url":"http://public2.vulnerablecode.io/api/packages/139267?format=json","purl":"pkg:gem/actionpack@8.0.0.beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@8.0.0.beta1"},{"url":"http://public2.vulnerablecode.io/api/packages/50949?format=json","purl":"pkg:gem/actionpack@8.0.0.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@8.0.0.1"}],"aliases":["CVE-2024-54133","GHSA-vfm5-rmrh-j26v"],"risk_score":1.9,"exploitability":"0.5","weighted_severity":"3.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g3rk-djae-pkeh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8427?format=json","vulnerability_id":"VCID-hmp2-rmzv-wkhg","summary":"Improper Input Validation\nThe template selection functionality in actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob characters, which allows remote attackers to render arbitrary views via a crafted URL, related to a \"filter skipping vulnerability.\"","references":[{"reference_url":"http://groups.google.com/group/rubyonrails-security/msg/cbbbba6e4f7eaf61?dmode=source&output=gplain","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://groups.google.com/group/rubyonrails-security/msg/cbbbba6e4f7eaf61?dmode=source&output=gplain"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2011-2929","reference_id":"","reference_type":"","scores":[{"value":"0.00814","scoring_system":"epss","scoring_elements":"0.74282","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00814","scoring_system":"epss","scoring_elements":"0.74301","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00814","scoring_system":"epss","scoring_elements":"0.7428","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00814","scoring_system":"epss","scoring_elements":"0.74259","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00814","scoring_system":"epss","scoring_elements":"0.74232","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00814","scoring_system":"epss","scoring_elements":"0.74228","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00814","scoring_system":"epss","scoring_elements":"0.74265","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00814","scoring_system":"epss","scoring_elements":"0.74311","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00814","scoring_system":"epss","scoring_elements":"0.74274","published_at":"2026-04-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2011-2929"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=731432","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=731432"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/5f94b93279f6d0682fafb237c301302c107a9552","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/5f94b93279f6d0682fafb237c301302c107a9552"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-2929.yml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-2929.yml"},{"reference_url":"https://rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6"},{"reference_url":"http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6"},{"reference_url":"http://www.openwall.com/lists/oss-security/2011/08/17/1","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2011/08/17/1"},{"reference_url":"http://www.openwall.com/lists/oss-security/2011/08/19/11","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2011/08/19/11"},{"reference_url":"http://www.openwall.com/lists/oss-security/2011/08/20/1","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2011/08/20/1"},{"reference_url":"http://www.openwall.com/lists/oss-security/2011/08/22/13","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2011/08/22/13"},{"reference_url":"http://www.openwall.com/lists/oss-security/2011/08/22/14","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2011/08/22/14"},{"reference_url":"http://www.openwall.com/lists/oss-security/2011/08/22/5","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2011/08/22/5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2011-2929","reference_id":"CVE-2011-2929","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2011-2929"},{"reference_url":"https://github.com/advisories/GHSA-r7q2-5gqg-6c7q","reference_id":"GHSA-r7q2-5gqg-6c7q","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r7q2-5gqg-6c7q"},{"reference_url":"https://security.gentoo.org/glsa/201412-28","reference_id":"GLSA-201412-28","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201412-28"}],"fixed_packages":[],"aliases":["CVE-2011-2929","GHSA-r7q2-5gqg-6c7q"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hmp2-rmzv-wkhg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/16390?format=json","vulnerability_id":"VCID-hppf-a715-r7b2","summary":"ReDoS based DoS vulnerability in Action Dispatch\nThere is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795. A specially crafted HTTP `If-None-Match` header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22795.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22795.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22795","reference_id":"","reference_type":"","scores":[{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.81303","published_at":"2026-04-16T12:55:00Z"},{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.8121","published_at":"2026-04-02T12:55:00Z"},{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.81234","published_at":"2026-04-07T12:55:00Z"},{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.81262","published_at":"2026-04-08T12:55:00Z"},{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.81267","published_at":"2026-04-09T12:55:00Z"},{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.81288","published_at":"2026-04-11T12:55:00Z"},{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.81274","published_at":"2026-04-12T12:55:00Z"},{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.81266","published_at":"2026-04-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22795"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f"},{"reference_url":"https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0"},{"reference_url":"https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592"},{"reference_url":"https://github.com/rails/rails/releases/tag/v6.1.7.1","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v6.1.7.1"},{"reference_url":"https://github.com/rails/rails/releases/tag/v7.0.4.1","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v7.0.4.1"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml"},{"reference_url":"https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050","reference_id":"1030050","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2164799","reference_id":"2164799","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2164799"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22795","reference_id":"CVE-2023-22795","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22795"},{"reference_url":"https://github.com/advisories/GHSA-8xww-x3g3-6jcv","reference_id":"GHSA-8xww-x3g3-6jcv","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8xww-x3g3-6jcv"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:6818","reference_id":"RHSA-2023:6818","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:6818"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/136930?format=json","purl":"pkg:gem/actionpack@5.2.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@5.2.8"},{"url":"http://public2.vulnerablecode.io/api/packages/55418?format=json","purl":"pkg:gem/actionpack@6.1.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.7.1"},{"url":"http://public2.vulnerablecode.io/api/packages/55815?format=json","purl":"pkg:gem/actionpack@7.0.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bh7-drnb-7ygg"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.4.1"}],"aliases":["CVE-2023-22795","GHSA-8xww-x3g3-6jcv","GMS-2023-56"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hppf-a715-r7b2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8446?format=json","vulnerability_id":"VCID-j24x-nhsb-yug6","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nThe cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method.","references":[{"reference_url":"http://groups.google.com/group/rubyonrails-security/msg/663b600d4471e0d4?dmode=source&output=gplain","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://groups.google.com/group/rubyonrails-security/msg/663b600d4471e0d4?dmode=source&output=gplain"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062514.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062514.html"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-June/062090.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-June/062090.html"},{"reference_url":"http://openwall.com/lists/oss-security/2011/06/09/2","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://openwall.com/lists/oss-security/2011/06/09/2"},{"reference_url":"http://openwall.com/lists/oss-security/2011/06/13/9","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://openwall.com/lists/oss-security/2011/06/13/9"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2011-2197","reference_id":"","reference_type":"","scores":[{"value":"0.00442","scoring_system":"epss","scoring_elements":"0.63314","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00442","scoring_system":"epss","scoring_elements":"0.6319","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00442","scoring_system":"epss","scoring_elements":"0.63249","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00442","scoring_system":"epss","scoring_elements":"0.63278","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00442","scoring_system":"epss","scoring_elements":"0.63243","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00442","scoring_system":"epss","scoring_elements":"0.63295","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00442","scoring_system":"epss","scoring_elements":"0.63313","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00442","scoring_system":"epss","scoring_elements":"0.6333","published_at":"2026-04-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2011-2197"},{"reference_url":"http://secunia.com/advisories/44789","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/44789"},{"reference_url":"https://gist.github.com/NZKoz/b2ceb626fc2bcdfe497f","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://gist.github.com/NZKoz/b2ceb626fc2bcdfe497f"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/53a2c0baf2b128dd4808eca313256f6f4bb8c4cd","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/53a2c0baf2b128dd4808eca313256f6f4bb8c4cd"},{"reference_url":"https://github.com/rails/rails/commit/ed3796434af6069ced6a641293cf88eef3b284da","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/ed3796434af6069ced6a641293cf88eef3b284da"},{"reference_url":"http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2011-2197","reference_id":"CVE-2011-2197","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2011-2197"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2011-2197.yml","reference_id":"CVE-2011-2197.YML","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2011-2197.yml"},{"reference_url":"https://github.com/advisories/GHSA-v9v4-7jp6-8c73","reference_id":"GHSA-v9v4-7jp6-8c73","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v9v4-7jp6-8c73"}],"fixed_packages":[],"aliases":["CVE-2011-2197","GHSA-v9v4-7jp6-8c73"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j24x-nhsb-yug6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8404?format=json","vulnerability_id":"VCID-knsd-pv15-tydx","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nCross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name.","references":[{"reference_url":"http://groups.google.com/group/rubyonrails-security/msg/fd41ab62966e0fd1?dmode=source&output=gplain","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://groups.google.com/group/rubyonrails-security/msg/fd41ab62966e0fd1?dmode=source&output=gplain"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065137.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065137.html"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2011-2931","reference_id":"","reference_type":"","scores":[{"value":"0.00813","scoring_system":"epss","scoring_elements":"0.74293","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00813","scoring_system":"epss","scoring_elements":"0.74208","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00813","scoring_system":"epss","scoring_elements":"0.74214","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00813","scoring_system":"epss","scoring_elements":"0.7424","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00813","scoring_system":"epss","scoring_elements":"0.74213","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00813","scoring_system":"epss","scoring_elements":"0.74246","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00813","scoring_system":"epss","scoring_elements":"0.7426","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00813","scoring_system":"epss","scoring_elements":"0.74282","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00813","scoring_system":"epss","scoring_elements":"0.74263","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00813","scoring_system":"epss","scoring_elements":"0.74256","published_at":"2026-04-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2011-2931"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=731436","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=731436"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2931","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2931"},{"reference_url":"http://secunia.com/advisories/45921","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/45921"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/586a944ddd4d03e66dea1093306147594748037a","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/586a944ddd4d03e66dea1093306147594748037a"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-2931.yml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-2931.yml"},{"reference_url":"http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6"},{"reference_url":"http://www.debian.org/security/2011/dsa-2301","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2011/dsa-2301"},{"reference_url":"http://www.openwall.com/lists/oss-security/2011/08/17/1","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2011/08/17/1"},{"reference_url":"http://www.openwall.com/lists/oss-security/2011/08/19/11","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2011/08/19/11"},{"reference_url":"http://www.openwall.com/lists/oss-security/2011/08/20/1","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2011/08/20/1"},{"reference_url":"http://www.openwall.com/lists/oss-security/2011/08/22/13","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2011/08/22/13"},{"reference_url":"http://www.openwall.com/lists/oss-security/2011/08/22/14","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2011/08/22/14"},{"reference_url":"http://www.openwall.com/lists/oss-security/2011/08/22/5","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2011/08/22/5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2011-2931","reference_id":"CVE-2011-2931","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2011-2931"},{"reference_url":"https://github.com/advisories/GHSA-v5jg-558j-q67c","reference_id":"GHSA-v5jg-558j-q67c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v5jg-558j-q67c"},{"reference_url":"https://security.gentoo.org/glsa/201412-28","reference_id":"GLSA-201412-28","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201412-28"}],"fixed_packages":[],"aliases":["CVE-2011-2931","GHSA-v5jg-558j-q67c"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-knsd-pv15-tydx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/34108?format=json","vulnerability_id":"VCID-mnkw-23eu-bkgc","summary":"Ability to forge per-form CSRF tokens in Rails\nIt is possible to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token for any action for that session.\n\nImpact\n------\n\nGiven the ability to extract the global CSRF token, an attacker would be able to construct a per-form CSRF token for that session.\n\nWorkarounds\n-----------\n\nThis is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8166.json","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8166.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8166","reference_id":"","reference_type":"","scores":[{"value":"0.00443","scoring_system":"epss","scoring_elements":"0.63345","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00443","scoring_system":"epss","scoring_elements":"0.63311","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00443","scoring_system":"epss","scoring_elements":"0.63348","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00443","scoring_system":"epss","scoring_elements":"0.63364","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00443","scoring_system":"epss","scoring_elements":"0.63347","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00443","scoring_system":"epss","scoring_elements":"0.63329","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00443","scoring_system":"epss","scoring_elements":"0.63278","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00443","scoring_system":"epss","scoring_elements":"0.63312","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00443","scoring_system":"epss","scoring_elements":"0.63284","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00443","scoring_system":"epss","scoring_elements":"0.63225","published_at":"2026-04-01T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8166"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8166.yml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8166.yml"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":""},{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw","reference_id":"","reference_type":"","scores":[],"url":"https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw"},{"reference_url":"https://hackerone.com/reports/732415","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/732415"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8166","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8166"},{"reference_url":"https://www.debian.org/security/2020/dsa-4766","reference_id":"","reference_type":"","scores":[],"url":"https://www.debian.org/security/2020/dsa-4766"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1843152","reference_id":"1843152","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1843152"},{"reference_url":"https://github.com/advisories/GHSA-jp5v-5gx4-jmj9","reference_id":"GHSA-jp5v-5gx4-jmj9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jp5v-5gx4-jmj9"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:1313","reference_id":"RHSA-2021:1313","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:1313"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73549?format=json","purl":"pkg:gem/actionpack@5.2.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xgz-hwng-n3eq"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-ce39-j83r-6ug9"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-gjey-bqtd-kqa1"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-msda-xqbp-qfdd"},{"vulnerability":"VCID-p5mc-r1rg-5ff7"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@5.2.4.3"},{"url":"http://public2.vulnerablecode.io/api/packages/73550?format=json","purl":"pkg:gem/actionpack@6.0.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12x8-jxdf-jqdz"},{"vulnerability":"VCID-1bxs-yghe-cyck"},{"vulnerability":"VCID-1x8k-t8mr-3fgp"},{"vulnerability":"VCID-1xgz-hwng-n3eq"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-ce39-j83r-6ug9"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-gjey-bqtd-kqa1"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-msda-xqbp-qfdd"},{"vulnerability":"VCID-p5mc-r1rg-5ff7"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"},{"vulnerability":"VCID-wyy6-h8bq-vyde"},{"vulnerability":"VCID-zy7d-3db6-sydw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.3.1"}],"aliases":["CVE-2020-8166","GHSA-jp5v-5gx4-jmj9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mnkw-23eu-bkgc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47598?format=json","vulnerability_id":"VCID-msda-xqbp-qfdd","summary":"Possible Open Redirect Vulnerability in Action Pack\nThere is a possible Open Redirect Vulnerability in Action Pack.\n\nVersions Affected:  >= v6.1.0.rc2\nNot affected:       < v6.1.0.rc2\nFixed Versions:     6.1.3.2\n\nImpact\n------\nThis is similar to CVE-2021-22881. Specially crafted Host headers in combination with certain \"allowed host\" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious\nwebsite.\n\nSince rails/rails@9bc7ea5, strings in config.hosts that do not have a leading dot are converted to regular expressions without proper escaping. This causes, for example, config.hosts << \"sub.example.com\" to permit a request with a Host header value of sub-example.com.\n\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nThe following monkey patch put in an initializer can be used as a workaround.\n\n```ruby\nclass ActionDispatch::HostAuthorization::Permissions\n  def sanitize_string(host)\n    if host.start_with?(\".\")\n      /\\A(.+\\.)?#{Regexp.escape(host[1..-1])}\\z/i\n    else\n      /\\A#{Regexp.escape host}\\z/i\n    end\n  end\nend\n```\n\nPatches\n-------\nTo aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.\n\n* 6-1-open-redirect.patch - Patch for 6.1 series\n\nPlease note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.\n\nCredits\n-------\n\nThanks Jonathan Hefner (https://hackerone.com/jonathanhefner) for reporting this bug!","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22903.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22903.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22903","reference_id":"","reference_type":"","scores":[{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35808","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35768","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35791","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.3592","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35831","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35823","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35801","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35693","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35751","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.3589","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22903"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2021-22903-possible-open-redirect-vulnerability-in-action-pack/77867","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://discuss.rubyonrails.org/t/cve-2021-22903-possible-open-redirect-vulnerability-in-action-pack/77867"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails/releases/tag/v6.1.3.2","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v6.1.3.2"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22903.yml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22903.yml"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/8TxqXEtgSF0","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/8TxqXEtgSF0"},{"reference_url":"https://hackerone.com/reports/1148025","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/1148025"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22903","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22903"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1957438","reference_id":"1957438","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1957438"},{"reference_url":"https://security.archlinux.org/AVG-1919","reference_id":"AVG-1919","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1919"},{"reference_url":"https://github.com/advisories/GHSA-5hq2-xf89-9jxq","reference_id":"GHSA-5hq2-xf89-9jxq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5hq2-xf89-9jxq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/77105?format=json","purl":"pkg:gem/actionpack@6.1.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxs-yghe-cyck"},{"vulnerability":"VCID-1x8k-t8mr-3fgp"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-ce39-j83r-6ug9"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-p5mc-r1rg-5ff7"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.3.2"}],"aliases":["CVE-2021-22903","GHSA-5hq2-xf89-9jxq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-msda-xqbp-qfdd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/13941?format=json","vulnerability_id":"VCID-p5mc-r1rg-5ff7","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in actionview.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-27777.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-27777.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-27777","reference_id":"","reference_type":"","scores":[{"value":"0.00911","scoring_system":"epss","scoring_elements":"0.7586","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00911","scoring_system":"epss","scoring_elements":"0.75823","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00911","scoring_system":"epss","scoring_elements":"0.75829","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00911","scoring_system":"epss","scoring_elements":"0.75848","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00911","scoring_system":"epss","scoring_elements":"0.75824","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00911","scoring_system":"epss","scoring_elements":"0.75812","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00911","scoring_system":"epss","scoring_elements":"0.7578","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00911","scoring_system":"epss","scoring_elements":"0.75801","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00911","scoring_system":"epss","scoring_elements":"0.75768","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-27777"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/649516ce0feb699ae06a8c5e81df75d460cc9a85","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/649516ce0feb699ae06a8c5e81df75d460cc9a85"},{"reference_url":"https://groups.google.com/g/ruby-security-ann/c/9wJPEDv-iRw","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/ruby-security-ann/c/9wJPEDv-iRw"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html"},{"reference_url":"https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released"},{"reference_url":"https://www.debian.org/security/2023/dsa-5372","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2023/dsa-5372"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016982","reference_id":"1016982","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016982"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2080296","reference_id":"2080296","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2080296"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-27777","reference_id":"CVE-2022-27777","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-27777"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2022-27777.yml","reference_id":"CVE-2022-27777.YML","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2022-27777.yml"},{"reference_url":"https://github.com/advisories/GHSA-ch3h-j2vf-95pv","reference_id":"GHSA-ch3h-j2vf-95pv","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-ch3h-j2vf-95pv"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:2097","reference_id":"RHSA-2023:2097","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:2097"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79892?format=json","purl":"pkg:gem/actionpack@5.2.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@5.2.7.1"},{"url":"http://public2.vulnerablecode.io/api/packages/79893?format=json","purl":"pkg:gem/actionpack@6.0.4.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.4.8"},{"url":"http://public2.vulnerablecode.io/api/packages/79894?format=json","purl":"pkg:gem/actionpack@6.1.5.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.5.1"},{"url":"http://public2.vulnerablecode.io/api/packages/79895?format=json","purl":"pkg:gem/actionpack@7.0.2.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bh7-drnb-7ygg"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-6tty-dbwx-rbgx"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.2.4"}],"aliases":["CVE-2022-27777","GHSA-ch3h-j2vf-95pv","GMS-2022-1138"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p5mc-r1rg-5ff7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/6734?format=json","vulnerability_id":"VCID-phxs-zet8-ryh3","summary":"SQL Injection\nRuby on Rails contains a flaw related to the way ActiveRecord handles parameters in conjunction with the way Rack parses query parameters. This issue may allow an attacker to inject arbitrary `IS NULL` clauses in to application SQL queries. This may also allow an attacker to have the SQL query check for `NULL` in arbitrary places.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html"},{"reference_url":"http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2013-0154.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2013-0154.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-2660.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-2660.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2012-2660","reference_id":"","reference_type":"","scores":[{"value":"0.00294","scoring_system":"epss","scoring_elements":"0.52801","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00294","scoring_system":"epss","scoring_elements":"0.52708","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00294","scoring_system":"epss","scoring_elements":"0.52734","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00294","scoring_system":"epss","scoring_elements":"0.527","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00294","scoring_system":"epss","scoring_elements":"0.52751","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00294","scoring_system":"epss","scoring_elements":"0.52745","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00294","scoring_system":"epss","scoring_elements":"0.52796","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00294","scoring_system":"epss","scoring_elements":"0.5278","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00294","scoring_system":"epss","scoring_elements":"0.52763","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00294","scoring_system":"epss","scoring_elements":"0.52663","published_at":"2026-04-01T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2012-2660"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/61eed87ce32caf534bf1f52dd8134097b4ad9e1b","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/61eed87ce32caf534bf1f52dd8134097b4ad9e1b"},{"reference_url":"https://github.com/rails/rails/commit/dff6db18840e2fd1dd3f3e4ef0ae7a9a3986d01d#diff-3179d24efacadd64068c4d9c1184eac3","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/rails/rails/commit/dff6db18840e2fd1dd3f3e4ef0ae7a9a3986d01d#diff-3179d24efacadd64068c4d9c1184eac3"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/OSVDB-82610.yml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/OSVDB-82610.yml"},{"reference_url":"https://groups.google.com/forum/#!original/rubyonrails-security/8SA-M3as7A8/Mr9fi9X4kNgJ","reference_id":"","reference_type":"","scores":[],"url":"https://groups.google.com/forum/#!original/rubyonrails-security/8SA-M3as7A8/Mr9fi9X4kNgJ"},{"reference_url":"https://groups.google.com/group/rubyonrails-security/msg/d890f8d58b5fbf32?dmode=source&output=gplain","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/group/rubyonrails-security/msg/d890f8d58b5fbf32?dmode=source&output=gplain"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/8SA-M3as7A8/m/Mr9fi9X4kNgJ","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/8SA-M3as7A8/m/Mr9fi9X4kNgJ"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=827353","reference_id":"827353","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=827353"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2012-2660","reference_id":"CVE-2012-2660","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-2660"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2012-2660.yml","reference_id":"CVE-2012-2660.YML","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2012-2660.yml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2012-2660.yml","reference_id":"CVE-2012-2660.YML","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2012-2660.yml"},{"reference_url":"https://github.com/advisories/GHSA-hgpp-pp89-4fgf","reference_id":"GHSA-hgpp-pp89-4fgf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hgpp-pp89-4fgf"},{"reference_url":"https://access.redhat.com/errata/RHSA-2012:1542","reference_id":"RHSA-2012:1542","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2012:1542"},{"reference_url":"https://access.redhat.com/errata/RHSA-2013:0154","reference_id":"RHSA-2013:0154","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2013:0154"}],"fixed_packages":[],"aliases":["CVE-2012-2660","GHSA-hgpp-pp89-4fgf","OSV-82610"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-phxs-zet8-ryh3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/6712?format=json","vulnerability_id":"VCID-rps2-k24p-9qgq","summary":"Translate helper method which may allow an attacker to insert arbitrary code into a page\nThe helper method for i18n translations has a convention whereby translations strings with a name ending in 'html' are considered HTML safe. There is also a mechanism for interpolation. It has been discovered that these 'html' strings allow arbitrary values to be contained in the interpolated input, and these values are not escaped.","references":[{"reference_url":"http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5?pli=1","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5?pli=1"},{"reference_url":"http://groups.google.com/group/rubyonrails-security/msg/c65c24fbc4b6dd82?dmode=source&output=gplain","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://groups.google.com/group/rubyonrails-security/msg/c65c24fbc4b6dd82?dmode=source&output=gplain"},{"reference_url":"http://openwall.com/lists/oss-security/2011/11/18/8","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://openwall.com/lists/oss-security/2011/11/18/8"},{"reference_url":"http://osvdb.org/77199","reference_id":"","reference_type":"","scores":[],"url":"http://osvdb.org/77199"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-4319.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-4319.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2011-4319","reference_id":"","reference_type":"","scores":[{"value":"0.00607","scoring_system":"epss","scoring_elements":"0.6969","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00607","scoring_system":"epss","scoring_elements":"0.69705","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00607","scoring_system":"epss","scoring_elements":"0.69684","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00607","scoring_system":"epss","scoring_elements":"0.69666","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00607","scoring_system":"epss","scoring_elements":"0.69615","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00607","scoring_system":"epss","scoring_elements":"0.69607","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00607","scoring_system":"epss","scoring_elements":"0.69718","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00607","scoring_system":"epss","scoring_elements":"0.69677","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00607","scoring_system":"epss","scoring_elements":"0.69636","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00607","scoring_system":"epss","scoring_elements":"0.69621","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2011-4319"},{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/71364","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/71364"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/2d5b105d4bcb652550dda8b5613376d1b8beb70c","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/2d5b105d4bcb652550dda8b5613376d1b8beb70c"},{"reference_url":"https://github.com/rails/rails/commit/ba2d85012088fd0db0fab98b2e512c77c83cbade","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/ba2d85012088fd0db0fab98b2e512c77c83cbade"},{"reference_url":"https://github.com/rails/rails/commit/ba2d85012088fd0db0fab98b2e512c77c83cbade#diff-79e8a3e6d1d2808c4f93f63b3928a5a1","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/rails/rails/commit/ba2d85012088fd0db0fab98b2e512c77c83cbade#diff-79e8a3e6d1d2808c4f93f63b3928a5a1"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-4319.yml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-4319.yml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/OSVDB-77199.yml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/OSVDB-77199.yml"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/K2HXD7c8fMU","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/K2HXD7c8fMU"},{"reference_url":"https://web.archive.org/web/20200228155840/http://www.securityfocus.com/bid/50722","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200228155840/http://www.securityfocus.com/bid/50722"},{"reference_url":"https://web.archive.org/web/20210307005941/http://www.securitytracker.com/id?1026342","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20210307005941/http://www.securitytracker.com/id?1026342"},{"reference_url":"http://weblog.rubyonrails.org/2011/11/18/rails-3-0-11-has-been-released","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2011/11/18/rails-3-0-11-has-been-released"},{"reference_url":"http://weblog.rubyonrails.org/2011/11/18/rails-3-1-2-has-been-released","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2011/11/18/rails-3-1-2-has-been-released"},{"reference_url":"http://www.securityfocus.com/bid/50722","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/50722"},{"reference_url":"http://www.securitytracker.com/id?1026342","reference_id":"","reference_type":"","scores":[],"url":"http://www.securitytracker.com/id?1026342"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=755004","reference_id":"755004","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=755004"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2011-4319","reference_id":"CVE-2011-4319","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2011-4319"},{"reference_url":"https://github.com/advisories/GHSA-xxr8-833v-c7wc","reference_id":"GHSA-xxr8-833v-c7wc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xxr8-833v-c7wc"}],"fixed_packages":[],"aliases":["CVE-2011-4319","GHSA-xxr8-833v-c7wc","OSV-77199"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rps2-k24p-9qgq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11785?format=json","vulnerability_id":"VCID-sfyc-jewr-wuf5","summary":"Possible ReDoS vulnerability in HTTP Token authentication in Action Controller\nThere is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. This vulnerability has been assigned the CVE identifier CVE-2024-47887.\n\nImpact\n------\n\nFor applications using HTTP Token authentication via `authenticate_or_request_with_http_token` or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.\n\nRuby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nUsers on Ruby 3.2 are unaffected by this issue.\n\n\nCredits\n-------\nThanks to [scyoon](https://hackerone.com/scyoon) for reporting","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47887.json","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47887.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47887","reference_id":"","reference_type":"","scores":[{"value":"0.00296","scoring_system":"epss","scoring_elements":"0.5297","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00296","scoring_system":"epss","scoring_elements":"0.52876","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00296","scoring_system":"epss","scoring_elements":"0.52932","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00296","scoring_system":"epss","scoring_elements":"0.52948","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00296","scoring_system":"epss","scoring_elements":"0.52964","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00296","scoring_system":"epss","scoring_elements":"0.52914","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00296","scoring_system":"epss","scoring_elements":"0.5292","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00296","scoring_system":"epss","scoring_elements":"0.5287","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00296","scoring_system":"epss","scoring_elements":"0.52901","published_at":"2026-04-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47887"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47887","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47887"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/security/advisories/GHSA-vfg9-r3fq-jvx4","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/"}],"url":"https://github.com/rails/rails/security/advisories/GHSA-vfg9-r3fq-jvx4"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-47887.yml","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-47887.yml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376","reference_id":"1085376","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2319034","reference_id":"2319034","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2319034"},{"reference_url":"https://github.com/rails/rails/commit/56b2fc3302836405b496e196a8d5fc0195e55049","reference_id":"56b2fc3302836405b496e196a8d5fc0195e55049","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/"}],"url":"https://github.com/rails/rails/commit/56b2fc3302836405b496e196a8d5fc0195e55049"},{"reference_url":"https://github.com/rails/rails/commit/7c1398854d51f9bb193fb79f226647351133d08a","reference_id":"7c1398854d51f9bb193fb79f226647351133d08a","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/"}],"url":"https://github.com/rails/rails/commit/7c1398854d51f9bb193fb79f226647351133d08a"},{"reference_url":"https://github.com/rails/rails/commit/8e057db25bff1dc7a98e9ae72e0083825b9ac545","reference_id":"8e057db25bff1dc7a98e9ae72e0083825b9ac545","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/"}],"url":"https://github.com/rails/rails/commit/8e057db25bff1dc7a98e9ae72e0083825b9ac545"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47887","reference_id":"CVE-2024-47887","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47887"},{"reference_url":"https://github.com/rails/rails/commit/f4dc83d8926509d0958ec21fcdbc2e7df3d32ce2","reference_id":"f4dc83d8926509d0958ec21fcdbc2e7df3d32ce2","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/"}],"url":"https://github.com/rails/rails/commit/f4dc83d8926509d0958ec21fcdbc2e7df3d32ce2"},{"reference_url":"https://github.com/advisories/GHSA-vfg9-r3fq-jvx4","reference_id":"GHSA-vfg9-r3fq-jvx4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vfg9-r3fq-jvx4"},{"reference_url":"https://usn.ubuntu.com/7290-1/","reference_id":"USN-7290-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7290-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42273?format=json","purl":"pkg:gem/actionpack@6.1.7.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.7.9"},{"url":"http://public2.vulnerablecode.io/api/packages/136966?format=json","purl":"pkg:gem/actionpack@7.0.0.alpha1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.0.alpha1"},{"url":"http://public2.vulnerablecode.io/api/packages/42274?format=json","purl":"pkg:gem/actionpack@7.0.8.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.8.5"},{"url":"http://public2.vulnerablecode.io/api/packages/139138?format=json","purl":"pkg:gem/actionpack@7.1.0.beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.0.beta1"},{"url":"http://public2.vulnerablecode.io/api/packages/42276?format=json","purl":"pkg:gem/actionpack@7.1.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.4.1"},{"url":"http://public2.vulnerablecode.io/api/packages/58922?format=json","purl":"pkg:gem/actionpack@7.2.0.beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.0.beta1"},{"url":"http://public2.vulnerablecode.io/api/packages/42277?format=json","purl":"pkg:gem/actionpack@7.2.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.1.1"},{"url":"http://public2.vulnerablecode.io/api/packages/139267?format=json","purl":"pkg:gem/actionpack@8.0.0.beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@8.0.0.beta1"}],"aliases":["CVE-2024-47887","GHSA-vfg9-r3fq-jvx4"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sfyc-jewr-wuf5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11925?format=json","vulnerability_id":"VCID-sgdb-985e-4uej","summary":"Possible ReDoS vulnerability in query parameter filtering in Action Dispatch\nThere is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-41128.\n\nImpact\n------\n\nCarefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.\n\nRuby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.\n\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nUsers on Ruby 3.2 are unaffected by this issue.\n\n\nCredits\n-------\n\nThanks to [scyoon](https://hackerone.com/scyoon) for the report and patches!","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-41128.json","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-41128.json"},{"reference_url":"https://access.redhat.com/security/cve/cve-2024-41128","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/"}],"url":"https://access.redhat.com/security/cve/cve-2024-41128"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-41128","reference_id":"","reference_type":"","scores":[{"value":"0.00605","scoring_system":"epss","scoring_elements":"0.69624","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00605","scoring_system":"epss","scoring_elements":"0.69608","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00605","scoring_system":"epss","scoring_elements":"0.69557","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00605","scoring_system":"epss","scoring_elements":"0.69562","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00605","scoring_system":"epss","scoring_elements":"0.69578","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00605","scoring_system":"epss","scoring_elements":"0.69657","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00605","scoring_system":"epss","scoring_elements":"0.69618","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00605","scoring_system":"epss","scoring_elements":"0.69632","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00605","scoring_system":"epss","scoring_elements":"0.69647","published_at":"2026-04-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-41128"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2319036","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/"}],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2319036"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41128","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41128"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/"}],"url":"https://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075"},{"reference_url":"https://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/"}],"url":"https://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef"},{"reference_url":"https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/"}],"url":"https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891"},{"reference_url":"https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/"}],"url":"https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd"},{"reference_url":"https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/"}],"url":"https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-41128.yml","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-41128.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41128","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41128"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376","reference_id":"1085376","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376"},{"reference_url":"https://github.com/advisories/GHSA-x76w-6vjr-8xgj","reference_id":"GHSA-x76w-6vjr-8xgj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x76w-6vjr-8xgj"},{"reference_url":"https://usn.ubuntu.com/7290-1/","reference_id":"USN-7290-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7290-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42273?format=json","purl":"pkg:gem/actionpack@6.1.7.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.7.9"},{"url":"http://public2.vulnerablecode.io/api/packages/136966?format=json","purl":"pkg:gem/actionpack@7.0.0.alpha1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.0.alpha1"},{"url":"http://public2.vulnerablecode.io/api/packages/42274?format=json","purl":"pkg:gem/actionpack@7.0.8.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.8.5"},{"url":"http://public2.vulnerablecode.io/api/packages/139138?format=json","purl":"pkg:gem/actionpack@7.1.0.beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.0.beta1"},{"url":"http://public2.vulnerablecode.io/api/packages/42276?format=json","purl":"pkg:gem/actionpack@7.1.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.4.1"},{"url":"http://public2.vulnerablecode.io/api/packages/58922?format=json","purl":"pkg:gem/actionpack@7.2.0.beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.0.beta1"},{"url":"http://public2.vulnerablecode.io/api/packages/42277?format=json","purl":"pkg:gem/actionpack@7.2.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.1.1"},{"url":"http://public2.vulnerablecode.io/api/packages/139267?format=json","purl":"pkg:gem/actionpack@8.0.0.beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@8.0.0.beta1"}],"aliases":["CVE-2024-41128","GHSA-x76w-6vjr-8xgj"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sgdb-985e-4uej"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8450?format=json","vulnerability_id":"VCID-tt6r-bytq-4fa4","summary":"actionpack allows remote attackers to bypass database-query restrictions, perform NULL checks via crafted request\n`actionpack/lib/action_dispatch/http/request.rb` in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain `['xyz', nil]` values, a related issue to CVE-2012-2660.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html"},{"reference_url":"http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2013-0154.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2013-0154.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-2694.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-2694.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2012-2694","reference_id":"","reference_type":"","scores":[{"value":"0.0022","scoring_system":"epss","scoring_elements":"0.44682","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0022","scoring_system":"epss","scoring_elements":"0.44693","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0022","scoring_system":"epss","scoring_elements":"0.44728","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0022","scoring_system":"epss","scoring_elements":"0.44671","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0022","scoring_system":"epss","scoring_elements":"0.4467","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0022","scoring_system":"epss","scoring_elements":"0.44701","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0022","scoring_system":"epss","scoring_elements":"0.44684","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0022","scoring_system":"epss","scoring_elements":"0.44631","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0022","scoring_system":"epss","scoring_elements":"0.44593","published_at":"2026-04-01T12:55:00Z"},{"value":"0.0022","scoring_system":"epss","scoring_elements":"0.44673","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2012-2694"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/2f3bc0467311781ac1ceb2c8c2b09002c8fe143a","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/2f3bc0467311781ac1ceb2c8c2b09002c8fe143a"},{"reference_url":"https://github.com/rails/rails/commit/c202638225519b5e1a03ebe523b109c948fb0e52","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/c202638225519b5e1a03ebe523b109c948fb0e52"},{"reference_url":"https://groups.google.com/group/rubyonrails-security/msg/e2d3a87f2c211def?dmode=source&output=gplain","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/group/rubyonrails-security/msg/e2d3a87f2c211def?dmode=source&output=gplain"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/jILZ34tAHF4/m/7x0hLH-o0-IJ","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/jILZ34tAHF4/m/7x0hLH-o0-IJ"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=831581","reference_id":"831581","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=831581"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2012-2694","reference_id":"CVE-2012-2694","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-2694"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2012-2694.yml","reference_id":"CVE-2012-2694.YML","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2012-2694.yml"},{"reference_url":"https://github.com/advisories/GHSA-q34c-48gc-m9g8","reference_id":"GHSA-q34c-48gc-m9g8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q34c-48gc-m9g8"},{"reference_url":"https://access.redhat.com/errata/RHSA-2012:1542","reference_id":"RHSA-2012:1542","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2012:1542"},{"reference_url":"https://access.redhat.com/errata/RHSA-2013:0154","reference_id":"RHSA-2013:0154","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2013:0154"}],"fixed_packages":[],"aliases":["CVE-2012-2694","GHSA-q34c-48gc-m9g8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tt6r-bytq-4fa4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8422?format=json","vulnerability_id":"VCID-vgm2-8wjy-x7ed","summary":"Improper Input Validation\nRuby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain.","references":[{"reference_url":"http://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html"},{"reference_url":"http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup"},{"reference_url":"http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/","reference_id":"","reference_type":"","scores":[],"url":"http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2008-7248.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2008-7248.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2008-7248","reference_id":"","reference_type":"","scores":[{"value":"0.11409","scoring_system":"epss","scoring_elements":"0.9359","published_at":"2026-04-16T12:55:00Z"},{"value":"0.11409","scoring_system":"epss","scoring_elements":"0.93535","published_at":"2026-04-01T12:55:00Z"},{"value":"0.11409","scoring_system":"epss","scoring_elements":"0.93544","published_at":"2026-04-02T12:55:00Z"},{"value":"0.11409","scoring_system":"epss","scoring_elements":"0.93552","published_at":"2026-04-04T12:55:00Z"},{"value":"0.11409","scoring_system":"epss","scoring_elements":"0.93553","published_at":"2026-04-07T12:55:00Z"},{"value":"0.11409","scoring_system":"epss","scoring_elements":"0.93561","published_at":"2026-04-08T12:55:00Z"},{"value":"0.11409","scoring_system":"epss","scoring_elements":"0.93564","published_at":"2026-04-09T12:55:00Z"},{"value":"0.11409","scoring_system":"epss","scoring_elements":"0.9357","published_at":"2026-04-12T12:55:00Z"},{"value":"0.11409","scoring_system":"epss","scoring_elements":"0.93571","published_at":"2026-04-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2008-7248"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=544329","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=544329"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7248","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7248"},{"reference_url":"http://secunia.com/advisories/36600","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/36600"},{"reference_url":"http://secunia.com/advisories/38915","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/38915"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a"},{"reference_url":"https://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en"},{"reference_url":"https://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html"},{"reference_url":"https://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup"},{"reference_url":"https://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/","reference_id":"","reference_type":"","scores":[],"url":"https://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/"},{"reference_url":"https://web.archive.org/web/20090906010200/https://www.vupen.com/english/advisories/2009/2544","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20090906010200/https://www.vupen.com/english/advisories/2009/2544"},{"reference_url":"https://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1"},{"reference_url":"https://www.openwall.com/lists/oss-security/2009/11/28/1","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.openwall.com/lists/oss-security/2009/11/28/1"},{"reference_url":"https://www.openwall.com/lists/oss-security/2009/12/02/2","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.openwall.com/lists/oss-security/2009/12/02/2"},{"reference_url":"https://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html"},{"reference_url":"http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1"},{"reference_url":"http://www.openwall.com/lists/oss-security/2009/11/28/1","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2009/11/28/1"},{"reference_url":"http://www.openwall.com/lists/oss-security/2009/12/02/2","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2009/12/02/2"},{"reference_url":"http://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html","reference_id":"","reference_type":"","scores":[],"url":"http://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html"},{"reference_url":"http://www.vupen.com/english/advisories/2009/2544","reference_id":"","reference_type":"","scores":[],"url":"http://www.vupen.com/english/advisories/2009/2544"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=558685","reference_id":"558685","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=558685"},{"reference_url":"https://access.redhat.com/security/cve/CVE-2008-7248","reference_id":"CVE-2008-7248","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/security/cve/CVE-2008-7248"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2008-7248","reference_id":"CVE-2008-7248","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2008-7248"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/remote/33402.txt","reference_id":"CVE-2008-7248;OSVDB-61124","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/remote/33402.txt"},{"reference_url":"https://www.securityfocus.com/bid/37322/info","reference_id":"CVE-2008-7248;OSVDB-61124","reference_type":"exploit","scores":[],"url":"https://www.securityfocus.com/bid/37322/info"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2008-7248.yml","reference_id":"CVE-2008-7248.YML","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2008-7248.yml"},{"reference_url":"https://github.com/advisories/GHSA-8fqx-7pv4-3jwm","reference_id":"GHSA-8fqx-7pv4-3jwm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8fqx-7pv4-3jwm"},{"reference_url":"https://security.gentoo.org/glsa/200912-02","reference_id":"GLSA-200912-02","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/200912-02"}],"fixed_packages":[],"aliases":["CVE-2008-7248","GHSA-8fqx-7pv4-3jwm"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vgm2-8wjy-x7ed"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47410?format=json","vulnerability_id":"VCID-wg3a-j2dp-ayh4","summary":"Possible DoS Vulnerability in Action Controller Token Authentication\nThere is a possible DoS vulnerability in the Token Authentication logic in Action Controller.\n\nVersions Affected:  >= 4.0.0\nNot affected:       < 4.0.0\nFixed Versions:     6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6\n\nImpact\n------\nImpacted code uses `authenticate_or_request_with_http_token` or `authenticate_with_http_token` for request authentication.  Impacted code will look something like this:\n\n```\nclass PostsController < ApplicationController\n  before_action :authenticate\n\n  private\n\n  def authenticate\n    authenticate_or_request_with_http_token do |token, options|\n      # ...\n    end\n  end\nend\n```\n\nAll users running an affected release should either upgrade or use one of the workarounds immediately.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nThe following monkey patch placed in an initializer can be used to work around the issue:\n\n```ruby\nmodule ActionController::HttpAuthentication::Token\n  AUTHN_PAIR_DELIMITERS = /(?:,|;|\\t)/\nend\n```\n\nPatches\n-------\nTo aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.\n\n* 5-2-http-authentication-dos.patch - Patch for 5.2 series\n* 6-0-http-authentication-dos.patch - Patch for 6.0 series\n* 6-1-http-authentication-dos.patch - Patch for 6.1 series\n\nPlease note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.\n\nCredits\n-------\nThank you to https://hackerone.com/wonda_tea_coffee for reporting this issue!","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22904.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22904.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22904","reference_id":"","reference_type":"","scores":[{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.92022","published_at":"2026-04-16T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.92007","published_at":"2026-04-12T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.92004","published_at":"2026-04-13T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.92","published_at":"2026-04-08T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.91987","published_at":"2026-04-07T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.91981","published_at":"2026-04-04T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.91966","published_at":"2026-04-01T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.91974","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22904"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/releases/tag/v5.2.4.6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v5.2.4.6"},{"reference_url":"https://github.com/rails/rails/releases/tag/v5.2.6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v5.2.6"},{"reference_url":"https://github.com/rails/rails/releases/tag/v6.0.3.7","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v6.0.3.7"},{"reference_url":"https://github.com/rails/rails/releases/tag/v6.1.3.2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v6.1.3.2"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22904.yml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22904.yml"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ"},{"reference_url":"https://hackerone.com/reports/1101125","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/1101125"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22904","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22904"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210805-0009","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210805-0009"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210805-0009/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210805-0009/"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1961379","reference_id":"1961379","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1961379"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214","reference_id":"988214","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214"},{"reference_url":"https://security.archlinux.org/AVG-1920","reference_id":"AVG-1920","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1920"},{"reference_url":"https://security.archlinux.org/AVG-1921","reference_id":"AVG-1921","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1921"},{"reference_url":"https://security.archlinux.org/AVG-2090","reference_id":"AVG-2090","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2090"},{"reference_url":"https://security.archlinux.org/AVG-2223","reference_id":"AVG-2223","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2223"},{"reference_url":"https://github.com/advisories/GHSA-7wjx-3g7j-8584","reference_id":"GHSA-7wjx-3g7j-8584","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7wjx-3g7j-8584"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4702","reference_id":"RHSA-2021:4702","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4702"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/77107?format=json","purl":"pkg:gem/actionpack@5.2.4.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-ce39-j83r-6ug9"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-msda-xqbp-qfdd"},{"vulnerability":"VCID-p5mc-r1rg-5ff7"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@5.2.4.6"},{"url":"http://public2.vulnerablecode.io/api/packages/77106?format=json","purl":"pkg:gem/actionpack@5.2.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-ce39-j83r-6ug9"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-msda-xqbp-qfdd"},{"vulnerability":"VCID-p5mc-r1rg-5ff7"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@5.2.6"},{"url":"http://public2.vulnerablecode.io/api/packages/77104?format=json","purl":"pkg:gem/actionpack@6.0.3.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxs-yghe-cyck"},{"vulnerability":"VCID-1x8k-t8mr-3fgp"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-ce39-j83r-6ug9"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-msda-xqbp-qfdd"},{"vulnerability":"VCID-p5mc-r1rg-5ff7"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.3.7"},{"url":"http://public2.vulnerablecode.io/api/packages/77105?format=json","purl":"pkg:gem/actionpack@6.1.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxs-yghe-cyck"},{"vulnerability":"VCID-1x8k-t8mr-3fgp"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-ce39-j83r-6ug9"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-p22r-u1dd-b7b3"},{"vulnerability":"VCID-p5mc-r1rg-5ff7"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.3.2"}],"aliases":["CVE-2021-22904","GHSA-7wjx-3g7j-8584"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wg3a-j2dp-ayh4"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50461?format=json","vulnerability_id":"VCID-42dz-pxpv-qff3","summary":"High severity vulnerability that affects actionpack\nWithdrawn, accidental duplicate publish.\n\nAction Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.","references":[{"reference_url":"https://github.com/advisories/GHSA-hx46-vwmx-wx95","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hx46-vwmx-wx95"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-2098","reference_id":"CVE-2016-2098","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-2098"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/21989?format=json","purl":"pkg:gem/actionpack@3.2.22.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xgz-hwng-n3eq"},{"vulnerability":"VCID-3zdr-vasc-a7cn"},{"vulnerability":"VCID-49pq-vg95-jkh2"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-6j55-bstz-yybj"},{"vulnerability":"VCID-7f5r-9h1g-nuch"},{"vulnerability":"VCID-86jq-2md2-d7ah"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-cdnw-t8n1-23ep"},{"vulnerability":"VCID-cnqr-6e98-5kgk"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hmp2-rmzv-wkhg"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-j24x-nhsb-yug6"},{"vulnerability":"VCID-knsd-pv15-tydx"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-msda-xqbp-qfdd"},{"vulnerability":"VCID-p5mc-r1rg-5ff7"},{"vulnerability":"VCID-phxs-zet8-ryh3"},{"vulnerability":"VCID-rps2-k24p-9qgq"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"},{"vulnerability":"VCID-tt6r-bytq-4fa4"},{"vulnerability":"VCID-vgm2-8wjy-x7ed"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.22.2"},{"url":"http://public2.vulnerablecode.io/api/packages/21995?format=json","purl":"pkg:gem/actionpack@4.1.14.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xgz-hwng-n3eq"},{"vulnerability":"VCID-3zdr-vasc-a7cn"},{"vulnerability":"VCID-49pq-vg95-jkh2"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-6j55-bstz-yybj"},{"vulnerability":"VCID-7f5r-9h1g-nuch"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-cdnw-t8n1-23ep"},{"vulnerability":"VCID-cnqr-6e98-5kgk"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hmp2-rmzv-wkhg"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-j24x-nhsb-yug6"},{"vulnerability":"VCID-knsd-pv15-tydx"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-msda-xqbp-qfdd"},{"vulnerability":"VCID-p5mc-r1rg-5ff7"},{"vulnerability":"VCID-phxs-zet8-ryh3"},{"vulnerability":"VCID-rps2-k24p-9qgq"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"},{"vulnerability":"VCID-tt6r-bytq-4fa4"},{"vulnerability":"VCID-vgm2-8wjy-x7ed"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.1.14.2"},{"url":"http://public2.vulnerablecode.io/api/packages/21996?format=json","purl":"pkg:gem/actionpack@4.2.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xgz-hwng-n3eq"},{"vulnerability":"VCID-3zdr-vasc-a7cn"},{"vulnerability":"VCID-49pq-vg95-jkh2"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-6j55-bstz-yybj"},{"vulnerability":"VCID-7f5r-9h1g-nuch"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-cdnw-t8n1-23ep"},{"vulnerability":"VCID-cnqr-6e98-5kgk"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hmp2-rmzv-wkhg"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-j24x-nhsb-yug6"},{"vulnerability":"VCID-knsd-pv15-tydx"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-msda-xqbp-qfdd"},{"vulnerability":"VCID-p5mc-r1rg-5ff7"},{"vulnerability":"VCID-phxs-zet8-ryh3"},{"vulnerability":"VCID-rps2-k24p-9qgq"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"},{"vulnerability":"VCID-tt6r-bytq-4fa4"},{"vulnerability":"VCID-vgm2-8wjy-x7ed"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.2.5.2"}],"aliases":["GHSA-hx46-vwmx-wx95"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-42dz-pxpv-qff3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/7338?format=json","vulnerability_id":"VCID-s5ah-tf63-a7cw","summary":"Improper Input Validation\nThe Rails gem allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-2098.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-2098.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-2098","reference_id":"","reference_type":"","scores":[{"value":"0.8743","scoring_system":"epss","scoring_elements":"0.99461","published_at":"2026-04-16T12:55:00Z"},{"value":"0.8743","scoring_system":"epss","scoring_elements":"0.99452","published_at":"2026-04-01T12:55:00Z"},{"value":"0.8743","scoring_system":"epss","scoring_elements":"0.99451","published_at":"2026-04-02T12:55:00Z"},{"value":"0.8743","scoring_system":"epss","scoring_elements":"0.99453","published_at":"2026-04-04T12:55:00Z"},{"value":"0.8743","scoring_system":"epss","scoring_elements":"0.99454","published_at":"2026-04-07T12:55:00Z"},{"value":"0.8743","scoring_system":"epss","scoring_elements":"0.99456","published_at":"2026-04-09T12:55:00Z"},{"value":"0.8743","scoring_system":"epss","scoring_elements":"0.99457","published_at":"2026-04-11T12:55:00Z"},{"value":"0.8743","scoring_system":"epss","scoring_elements":"0.99458","published_at":"2026-04-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-2098"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2097","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2097"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2098","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2098"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-2098.yml","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-2098.yml"},{"reference_url":"https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ","reference_id":"","reference_type":"","scores":[],"url":"https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q"},{"reference_url":"https://groups.google.com/forum/#!topic/ruby-security-ann/ly-IH-fxr_Q","reference_id":"","reference_type":"","scores":[],"url":"https://groups.google.com/forum/#!topic/ruby-security-ann/ly-IH-fxr_Q"},{"reference_url":"https://web.archive.org/web/20200228015318/http://www.securityfocus.com/bid/83725","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200228015318/http://www.securityfocus.com/bid/83725"},{"reference_url":"https://web.archive.org/web/20210612214217/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20210612214217/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ"},{"reference_url":"https://web.archive.org/web/20211205173437/https://securitytracker.com/id/1035122","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20211205173437/https://securitytracker.com/id/1035122"},{"reference_url":"https://www.exploit-db.com/exploits/40086","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.exploit-db.com/exploits/40086"},{"reference_url":"https://www.exploit-db.com/exploits/40086/","reference_id":"","reference_type":"","scores":[],"url":"https://www.exploit-db.com/exploits/40086/"},{"reference_url":"http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released"},{"reference_url":"http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/","reference_id":"","reference_type":"","scores":[],"url":"http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"},{"reference_url":"http://www.debian.org/security/2016/dsa-3509","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2016/dsa-3509"},{"reference_url":"http://www.securityfocus.com/bid/83725","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/83725"},{"reference_url":"http://www.securitytracker.com/id/1035122","reference_id":"","reference_type":"","scores":[],"url":"http://www.securitytracker.com/id/1035122"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1310054","reference_id":"1310054","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1310054"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.14.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.14.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.14.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/ruby/remote/40086.rb","reference_id":"CVE-2016-2098","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/ruby/remote/40086.rb"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-2098","reference_id":"CVE-2016-2098","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:N/C:P/I:P/A:P"},{"value":"7.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-2098"},{"reference_url":"https://github.com/advisories/GHSA-78rc-8c29-p45g","reference_id":"GHSA-78rc-8c29-p45g","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-78rc-8c29-p45g"},{"reference_url":"https://access.redhat.com/errata/RHSA-2016:0454","reference_id":"RHSA-2016:0454","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2016:0454"},{"reference_url":"https://access.redhat.com/errata/RHSA-2016:0455","reference_id":"RHSA-2016:0455","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2016:0455"},{"reference_url":"https://access.redhat.com/errata/RHSA-2016:0456","reference_id":"RHSA-2016:0456","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2016:0456"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/21989?format=json","purl":"pkg:gem/actionpack@3.2.22.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xgz-hwng-n3eq"},{"vulnerability":"VCID-3zdr-vasc-a7cn"},{"vulnerability":"VCID-49pq-vg95-jkh2"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-6j55-bstz-yybj"},{"vulnerability":"VCID-7f5r-9h1g-nuch"},{"vulnerability":"VCID-86jq-2md2-d7ah"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-cdnw-t8n1-23ep"},{"vulnerability":"VCID-cnqr-6e98-5kgk"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hmp2-rmzv-wkhg"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-j24x-nhsb-yug6"},{"vulnerability":"VCID-knsd-pv15-tydx"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-msda-xqbp-qfdd"},{"vulnerability":"VCID-p5mc-r1rg-5ff7"},{"vulnerability":"VCID-phxs-zet8-ryh3"},{"vulnerability":"VCID-rps2-k24p-9qgq"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"},{"vulnerability":"VCID-tt6r-bytq-4fa4"},{"vulnerability":"VCID-vgm2-8wjy-x7ed"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.22.2"},{"url":"http://public2.vulnerablecode.io/api/packages/21995?format=json","purl":"pkg:gem/actionpack@4.1.14.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xgz-hwng-n3eq"},{"vulnerability":"VCID-3zdr-vasc-a7cn"},{"vulnerability":"VCID-49pq-vg95-jkh2"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-6j55-bstz-yybj"},{"vulnerability":"VCID-7f5r-9h1g-nuch"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-cdnw-t8n1-23ep"},{"vulnerability":"VCID-cnqr-6e98-5kgk"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hmp2-rmzv-wkhg"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-j24x-nhsb-yug6"},{"vulnerability":"VCID-knsd-pv15-tydx"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-msda-xqbp-qfdd"},{"vulnerability":"VCID-p5mc-r1rg-5ff7"},{"vulnerability":"VCID-phxs-zet8-ryh3"},{"vulnerability":"VCID-rps2-k24p-9qgq"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"},{"vulnerability":"VCID-tt6r-bytq-4fa4"},{"vulnerability":"VCID-vgm2-8wjy-x7ed"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.1.14.2"},{"url":"http://public2.vulnerablecode.io/api/packages/21996?format=json","purl":"pkg:gem/actionpack@4.2.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xgz-hwng-n3eq"},{"vulnerability":"VCID-3zdr-vasc-a7cn"},{"vulnerability":"VCID-49pq-vg95-jkh2"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-6j55-bstz-yybj"},{"vulnerability":"VCID-7f5r-9h1g-nuch"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-cdnw-t8n1-23ep"},{"vulnerability":"VCID-cnqr-6e98-5kgk"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hmp2-rmzv-wkhg"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-j24x-nhsb-yug6"},{"vulnerability":"VCID-knsd-pv15-tydx"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-msda-xqbp-qfdd"},{"vulnerability":"VCID-p5mc-r1rg-5ff7"},{"vulnerability":"VCID-phxs-zet8-ryh3"},{"vulnerability":"VCID-rps2-k24p-9qgq"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"},{"vulnerability":"VCID-tt6r-bytq-4fa4"},{"vulnerability":"VCID-vgm2-8wjy-x7ed"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.2.5.2"}],"aliases":["CVE-2016-2098","GHSA-78rc-8c29-p45g"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s5ah-tf63-a7cw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/7339?format=json","vulnerability_id":"VCID-z1jv-4ga2-7kd1","summary":"Possible Information Leak Vulnerability\nApplications that pass unverified user input to the `render` method in a controller may be vulnerable to an information leak vulnerability. Impacted code will look something like this: ``` def index; render params[:id]; end ``` Carefully crafted requests can cause the above code to render files from unexpected places like outside the application's view directory, and can possibly escalate this to a remote code execution attack.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-2097.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-2097.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-2097","reference_id":"","reference_type":"","scores":[{"value":"0.01912","scoring_system":"epss","scoring_elements":"0.83281","published_at":"2026-04-08T12:55:00Z"},{"value":"0.01912","scoring_system":"epss","scoring_elements":"0.83257","published_at":"2026-04-07T12:55:00Z"},{"value":"0.01912","scoring_system":"epss","scoring_elements":"0.83242","published_at":"2026-04-02T12:55:00Z"},{"value":"0.01912","scoring_system":"epss","scoring_elements":"0.83226","published_at":"2026-04-01T12:55:00Z"},{"value":"0.01912","scoring_system":"epss","scoring_elements":"0.83295","published_at":"2026-04-13T12:55:00Z"},{"value":"0.01912","scoring_system":"epss","scoring_elements":"0.83299","published_at":"2026-04-12T12:55:00Z"},{"value":"0.01912","scoring_system":"epss","scoring_elements":"0.83305","published_at":"2026-04-11T12:55:00Z"},{"value":"0.01912","scoring_system":"epss","scoring_elements":"0.8329","published_at":"2026-04-09T12:55:00Z"},{"value":"0.01912","scoring_system":"epss","scoring_elements":"0.83331","published_at":"2026-04-16T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-2097"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2097","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2097"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2098","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2098"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:M/Au:N/C:P/I:P/A:P"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/8a1d3ea617ffb0c8ae8467fa439bf63a3bfc4324","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/8a1d3ea617ffb0c8ae8467fa439bf63a3bfc4324"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-2097.yml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-2097.yml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2016-2097.yml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2016-2097.yml"},{"reference_url":"https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ","reference_id":"","reference_type":"","scores":[],"url":"https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4"},{"reference_url":"https://groups.google.com/forum/#!topic/ruby-security-ann/ddY6HgqB2z4","reference_id":"","reference_type":"","scores":[],"url":"https://groups.google.com/forum/#!topic/ruby-security-ann/ddY6HgqB2z4"},{"reference_url":"https://web.archive.org/web/20160322002234/http://www.securitytracker.com/id/1035122","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20160322002234/http://www.securitytracker.com/id/1035122"},{"reference_url":"https://web.archive.org/web/20200228015320/http://www.securityfocus.com/bid/83726","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200228015320/http://www.securityfocus.com/bid/83726"},{"reference_url":"https://web.archive.org/web/20201221115217/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20201221115217/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ"},{"reference_url":"http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released"},{"reference_url":"http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/","reference_id":"","reference_type":"","scores":[],"url":"http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"},{"reference_url":"http://www.debian.org/security/2016/dsa-3509","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2016/dsa-3509"},{"reference_url":"http://www.securityfocus.com/bid/83726","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/83726"},{"reference_url":"http://www.securitytracker.com/id/1035122","reference_id":"","reference_type":"","scores":[],"url":"http://www.securitytracker.com/id/1035122"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1310043","reference_id":"1310043","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1310043"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.14.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.14.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.14.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-2097","reference_id":"CVE-2016-2097","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:N/C:P/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-2097"},{"reference_url":"https://github.com/advisories/GHSA-vx9j-46rh-fqr8","reference_id":"GHSA-vx9j-46rh-fqr8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vx9j-46rh-fqr8"},{"reference_url":"https://access.redhat.com/errata/RHSA-2016:0454","reference_id":"RHSA-2016:0454","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2016:0454"},{"reference_url":"https://access.redhat.com/errata/RHSA-2016:0455","reference_id":"RHSA-2016:0455","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2016:0455"},{"reference_url":"https://access.redhat.com/errata/RHSA-2016:0456","reference_id":"RHSA-2016:0456","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2016:0456"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/21989?format=json","purl":"pkg:gem/actionpack@3.2.22.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xgz-hwng-n3eq"},{"vulnerability":"VCID-3zdr-vasc-a7cn"},{"vulnerability":"VCID-49pq-vg95-jkh2"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-6j55-bstz-yybj"},{"vulnerability":"VCID-7f5r-9h1g-nuch"},{"vulnerability":"VCID-86jq-2md2-d7ah"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-cdnw-t8n1-23ep"},{"vulnerability":"VCID-cnqr-6e98-5kgk"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hmp2-rmzv-wkhg"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-j24x-nhsb-yug6"},{"vulnerability":"VCID-knsd-pv15-tydx"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-msda-xqbp-qfdd"},{"vulnerability":"VCID-p5mc-r1rg-5ff7"},{"vulnerability":"VCID-phxs-zet8-ryh3"},{"vulnerability":"VCID-rps2-k24p-9qgq"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"},{"vulnerability":"VCID-tt6r-bytq-4fa4"},{"vulnerability":"VCID-vgm2-8wjy-x7ed"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.22.2"},{"url":"http://public2.vulnerablecode.io/api/packages/21995?format=json","purl":"pkg:gem/actionpack@4.1.14.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xgz-hwng-n3eq"},{"vulnerability":"VCID-3zdr-vasc-a7cn"},{"vulnerability":"VCID-49pq-vg95-jkh2"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-6j55-bstz-yybj"},{"vulnerability":"VCID-7f5r-9h1g-nuch"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-cdnw-t8n1-23ep"},{"vulnerability":"VCID-cnqr-6e98-5kgk"},{"vulnerability":"VCID-dd9p-x7k3-37ea"},{"vulnerability":"VCID-ehbj-aezy-d7h4"},{"vulnerability":"VCID-g3rk-djae-pkeh"},{"vulnerability":"VCID-hmp2-rmzv-wkhg"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-j24x-nhsb-yug6"},{"vulnerability":"VCID-knsd-pv15-tydx"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-msda-xqbp-qfdd"},{"vulnerability":"VCID-p5mc-r1rg-5ff7"},{"vulnerability":"VCID-phxs-zet8-ryh3"},{"vulnerability":"VCID-rps2-k24p-9qgq"},{"vulnerability":"VCID-sfyc-jewr-wuf5"},{"vulnerability":"VCID-sgdb-985e-4uej"},{"vulnerability":"VCID-tt6r-bytq-4fa4"},{"vulnerability":"VCID-vgm2-8wjy-x7ed"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.1.14.2"}],"aliases":["CVE-2016-2097","GHSA-vx9j-46rh-fqr8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z1jv-4ga2-7kd1"}],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.1.14.2"}