{"url":"http://public2.vulnerablecode.io/api/packages/25335?format=json","purl":"pkg:gem/rails@3.0.11","type":"gem","namespace":"","name":"rails","version":"3.0.11","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"6.1.7.7","latest_non_vulnerable_version":"7.1.3.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8396?format=json","vulnerability_id":"VCID-2mcx-b9k2-83bh","summary":"Ruby on Rails vulnerable to code injection\nRuby on Rails before 1.1.5 allows remote attackers to execute Ruby code with \"severe\" or \"serious\" impact via a File Upload request with an HTTP header that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112.","references":[{"reference_url":"http://blog.koehntopp.de/archives/1367-Ruby-On-Rails-Mandatory-Mystery-Patch.html","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://blog.koehntopp.de/archives/1367-Ruby-On-Rails-Mandatory-Mystery-Patch.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2006-4111","reference_id":"","reference_type":"","scores":[{"value":"0.03984","scoring_system":"epss","scoring_elements":"0.88406","published_at":"2026-04-13T12:55:00Z"},{"value":"0.03984","scoring_system":"epss","scoring_elements":"0.88414","published_at":"2026-04-11T12:55:00Z"},{"value":"0.03984","scoring_system":"epss","scoring_elements":"0.88403","published_at":"2026-04-09T12:55:00Z"},{"value":"0.03984","scoring_system":"epss","scoring_elements":"0.88397","published_at":"2026-04-08T12:55:00Z"},{"value":"0.03984","scoring_system":"epss","scoring_elements":"0.8835","published_at":"2026-04-01T12:55:00Z"},{"value":"0.03984","scoring_system":"epss","scoring_elements":"0.88373","published_at":"2026-04-04T12:55:00Z"},{"value":"0.03984","scoring_system":"epss","scoring_elements":"0.88359","published_at":"2026-04-02T12:55:00Z"},{"value":"0.03984","scoring_system":"epss","scoring_elements":"0.88378","published_at":"2026-04-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2006-4111"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4111","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4111"},{"reference_url":"https://github.com/presidentbeef/rails-security-history/blob/master/vulnerabilities.md","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/presidentbeef/rails-security-history/blob/master/vulnerabilities.md"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://web.archive.org/web/20200301174340/http://www.securityfocus.com/bid/19454","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200301174340/http://www.securityfocus.com/bid/19454"},{"reference_url":"https://web.archive.org/web/20200808083046/http://securitytracker.com/id?1016673","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200808083046/http://securitytracker.com/id?1016673"},{"reference_url":"http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits"},{"reference_url":"http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml"},{"reference_url":"http://www.novell.com/linux/security/advisories/2006_21_sr.html","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.novell.com/linux/security/advisories/2006_21_sr.html"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=382255","reference_id":"382255","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=382255"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2006-4111","reference_id":"CVE-2006-4111","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2006-4111"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2006-4111.yml","reference_id":"CVE-2006-4111.YML","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2006-4111.yml"},{"reference_url":"https://github.com/advisories/GHSA-rvpq-5xqx-pfpp","reference_id":"GHSA-rvpq-5xqx-pfpp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rvpq-5xqx-pfpp"},{"reference_url":"https://security.gentoo.org/glsa/200608-20","reference_id":"GLSA-200608-20","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/200608-20"}],"fixed_packages":[],"aliases":["CVE-2006-4111","GHSA-rvpq-5xqx-pfpp"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2mcx-b9k2-83bh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/6939?format=json","vulnerability_id":"VCID-35rt-t6e1-pfa6","summary":"Directory Traversal Vulnerability With Certain Route Configurations\nThe implicit render functionality allows controllers to render a template, even if there is no explicit action with the corresponding name. This module does not perform adequate input sanitization which could allow an attacker to use a specially crafted request to retrieve arbitrary files from the RoR application server.","references":[{"reference_url":"http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T13:25:09Z/"}],"url":"http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf"},{"reference_url":"http://osvdb.org/show/osvdb/106704","reference_id":"","reference_type":"","scores":[],"url":"http://osvdb.org/show/osvdb/106704"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2014-1863.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T13:25:09Z/"}],"url":"http://rhn.redhat.com/errata/RHSA-2014-1863.html"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:0510","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2014:0510"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:0816","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2014:0816"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:1863","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2014:1863"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-0130.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-0130.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-0130","reference_id":"","reference_type":"","scores":[{"value":"0.45374","scoring_system":"epss","scoring_elements":"0.97593","published_at":"2026-04-07T12:55:00Z"},{"value":"0.45374","scoring_system":"epss","scoring_elements":"0.97592","published_at":"2026-04-04T12:55:00Z"},{"value":"0.45374","scoring_system":"epss","scoring_elements":"0.97604","published_at":"2026-04-11T12:55:00Z"},{"value":"0.45374","scoring_system":"epss","scoring_elements":"0.97605","published_at":"2026-04-12T12:55:00Z"},{"value":"0.45374","scoring_system":"epss","scoring_elements":"0.97589","published_at":"2026-04-02T12:55:00Z"},{"value":"0.45374","scoring_system":"epss","scoring_elements":"0.97601","published_at":"2026-04-09T12:55:00Z"},{"value":"0.45374","scoring_system":"epss","scoring_elements":"0.97598","published_at":"2026-04-08T12:55:00Z"},{"value":"0.45374","scoring_system":"epss","scoring_elements":"0.97583","published_at":"2026-04-01T12:55:00Z"},{"value":"0.45374","scoring_system":"epss","scoring_elements":"0.97606","published_at":"2026-04-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-0130"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1095105","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1095105"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0081","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0081"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0082","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0082"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0130","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0130"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:N/C:P/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://groups.google.com/forum/message/raw?msg=rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T13:25:09Z/"}],"url":"https://groups.google.com/forum/message/raw?msg=rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/NkKc7vTW70o","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/NkKc7vTW70o"},{"reference_url":"https://groups.google.com/forum/#!topic/ruby-security-ann/PyJo7_m-Ehk","reference_id":"","reference_type":"","scores":[],"url":"https://groups.google.com/forum/#!topic/ruby-security-ann/PyJo7_m-Ehk"},{"reference_url":"https://web.archive.org/web/20140518192004/http://www.securityfocus.com/bid/67244","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20140518192004/http://www.securityfocus.com/bid/67244"},{"reference_url":"https://web.archive.org/web/20150319054505/http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20150319054505/http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf"},{"reference_url":"https://web.archive.org/web/20210411041816/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20210411041816/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-0130","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-0130"},{"reference_url":"http://www.securityfocus.com/bid/67244","reference_id":"67244","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T13:25:09Z/"}],"url":"http://www.securityfocus.com/bid/67244"},{"reference_url":"https://access.redhat.com/security/cve/CVE-2014-0130","reference_id":"CVE-2014-0130","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/security/cve/CVE-2014-0130"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-0130","reference_id":"CVE-2014-0130","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-0130"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-0130.yml","reference_id":"CVE-2014-0130.YML","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-0130.yml"},{"reference_url":"https://github.com/advisories/GHSA-6x85-j5j2-27jx","reference_id":"GHSA-6x85-j5j2-27jx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6x85-j5j2-27jx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/20662?format=json","purl":"pkg:gem/rails@3.2.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2mcx-b9k2-83bh"},{"vulnerability":"VCID-3wtf-uu89-2qe5"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-877d-u9ag-qqdr"},{"vulnerability":"VCID-895a-ydc5-zfg6"},{"vulnerability":"VCID-8dad-dvat-1fg4"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-c8b5-d83n-nuhw"},{"vulnerability":"VCID-es1t-7196-4kbb"},{"vulnerability":"VCID-g5q6-7uav-sqh1"},{"vulnerability":"VCID-gsx2-9sc2-3fbr"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-t684-yp58-hkg8"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"},{"vulnerability":"VCID-z1jv-4ga2-7kd1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@3.2.18"},{"url":"http://public2.vulnerablecode.io/api/packages/20663?format=json","purl":"pkg:gem/rails@4.0.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2mcx-b9k2-83bh"},{"vulnerability":"VCID-3wtf-uu89-2qe5"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-877d-u9ag-qqdr"},{"vulnerability":"VCID-895a-ydc5-zfg6"},{"vulnerability":"VCID-8dad-dvat-1fg4"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-c8b5-d83n-nuhw"},{"vulnerability":"VCID-es1t-7196-4kbb"},{"vulnerability":"VCID-g5q6-7uav-sqh1"},{"vulnerability":"VCID-gsx2-9sc2-3fbr"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-pb5f-g4uc-r7fp"},{"vulnerability":"VCID-s5ah-tf63-a7cw"},{"vulnerability":"VCID-t684-yp58-hkg8"},{"vulnerability":"VCID-v3r3-bwp5-a3bn"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"},{"vulnerability":"VCID-z1jv-4ga2-7kd1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@4.0.5"},{"url":"http://public2.vulnerablecode.io/api/packages/20664?format=json","purl":"pkg:gem/rails@4.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2mcx-b9k2-83bh"},{"vulnerability":"VCID-3wtf-uu89-2qe5"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-877d-u9ag-qqdr"},{"vulnerability":"VCID-895a-ydc5-zfg6"},{"vulnerability":"VCID-8dad-dvat-1fg4"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-c8b5-d83n-nuhw"},{"vulnerability":"VCID-es1t-7196-4kbb"},{"vulnerability":"VCID-g5q6-7uav-sqh1"},{"vulnerability":"VCID-gsx2-9sc2-3fbr"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-pb5f-g4uc-r7fp"},{"vulnerability":"VCID-s5ah-tf63-a7cw"},{"vulnerability":"VCID-t684-yp58-hkg8"},{"vulnerability":"VCID-v3r3-bwp5-a3bn"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"},{"vulnerability":"VCID-z1jv-4ga2-7kd1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@4.1.1"}],"aliases":["CVE-2014-0130","GHSA-6x85-j5j2-27jx"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-35rt-t6e1-pfa6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/6903?format=json","vulnerability_id":"VCID-3wtf-uu89-2qe5","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nMultiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html"},{"reference_url":"http://openwall.com/lists/oss-security/2014/02/18/8","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://openwall.com/lists/oss-security/2014/02/18/8"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2014-0215.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2014-0215.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2014-0306.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2014-0306.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-0081.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-0081.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-0081","reference_id":"","reference_type":"","scores":[{"value":"0.00885","scoring_system":"epss","scoring_elements":"0.75435","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00885","scoring_system":"epss","scoring_elements":"0.75378","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00885","scoring_system":"epss","scoring_elements":"0.75382","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00885","scoring_system":"epss","scoring_elements":"0.75415","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00885","scoring_system":"epss","scoring_elements":"0.75394","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00885","scoring_system":"epss","scoring_elements":"0.75438","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00885","scoring_system":"epss","scoring_elements":"0.75447","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00885","scoring_system":"epss","scoring_elements":"0.75467","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00885","scoring_system":"epss","scoring_elements":"0.75446","published_at":"2026-04-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-0081"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0081","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0081"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0082","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0082"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0130","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0130"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/08d0a11a3f62718d601d39e617c834759cf59bbb","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/08d0a11a3f62718d601d39e617c834759cf59bbb"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-0081.yml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-0081.yml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2014-0081.yml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2014-0081.yml"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/tfp6gZCtzr4","reference_id":"","reference_type":"","scores":[],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/tfp6gZCtzr4"},{"reference_url":"https://web.archive.org/web/20140911141416/http://www.securitytracker.com/id/1029782","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20140911141416/http://www.securitytracker.com/id/1029782"},{"reference_url":"https://web.archive.org/web/20170307202606/http://www.securityfocus.com/bid/65647","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20170307202606/http://www.securityfocus.com/bid/65647"},{"reference_url":"https://web.archive.org/web/20201207045136/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/tfp6gZCtzr4/j8LUHmu7fIEJ","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20201207045136/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/tfp6gZCtzr4/j8LUHmu7fIEJ"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1065520","reference_id":"1065520","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1065520"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-0081","reference_id":"CVE-2014-0081","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-0081"},{"reference_url":"https://github.com/advisories/GHSA-m46p-ggm5-5j83","reference_id":"GHSA-m46p-ggm5-5j83","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m46p-ggm5-5j83"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:0215","reference_id":"RHSA-2014:0215","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2014:0215"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:0306","reference_id":"RHSA-2014:0306","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2014:0306"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/20549?format=json","purl":"pkg:gem/rails@3.2.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2mcx-b9k2-83bh"},{"vulnerability":"VCID-35rt-t6e1-pfa6"},{"vulnerability":"VCID-3wtf-uu89-2qe5"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-877d-u9ag-qqdr"},{"vulnerability":"VCID-895a-ydc5-zfg6"},{"vulnerability":"VCID-8dad-dvat-1fg4"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-c8b5-d83n-nuhw"},{"vulnerability":"VCID-es1t-7196-4kbb"},{"vulnerability":"VCID-g5q6-7uav-sqh1"},{"vulnerability":"VCID-gsx2-9sc2-3fbr"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-t684-yp58-hkg8"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"},{"vulnerability":"VCID-z1jv-4ga2-7kd1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@3.2.17"},{"url":"http://public2.vulnerablecode.io/api/packages/20557?format=json","purl":"pkg:gem/rails@4.0.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2mcx-b9k2-83bh"},{"vulnerability":"VCID-35rt-t6e1-pfa6"},{"vulnerability":"VCID-3wtf-uu89-2qe5"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-877d-u9ag-qqdr"},{"vulnerability":"VCID-895a-ydc5-zfg6"},{"vulnerability":"VCID-8dad-dvat-1fg4"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-c8b5-d83n-nuhw"},{"vulnerability":"VCID-es1t-7196-4kbb"},{"vulnerability":"VCID-g5q6-7uav-sqh1"},{"vulnerability":"VCID-gsx2-9sc2-3fbr"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-pb5f-g4uc-r7fp"},{"vulnerability":"VCID-s5ah-tf63-a7cw"},{"vulnerability":"VCID-t684-yp58-hkg8"},{"vulnerability":"VCID-v3r3-bwp5-a3bn"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"},{"vulnerability":"VCID-z1jv-4ga2-7kd1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@4.0.3"},{"url":"http://public2.vulnerablecode.io/api/packages/20558?format=json","purl":"pkg:gem/rails@4.1.0.beta2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2mcx-b9k2-83bh"},{"vulnerability":"VCID-3wtf-uu89-2qe5"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-877d-u9ag-qqdr"},{"vulnerability":"VCID-895a-ydc5-zfg6"},{"vulnerability":"VCID-8dad-dvat-1fg4"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-c8b5-d83n-nuhw"},{"vulnerability":"VCID-es1t-7196-4kbb"},{"vulnerability":"VCID-g5q6-7uav-sqh1"},{"vulnerability":"VCID-gsx2-9sc2-3fbr"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-pb5f-g4uc-r7fp"},{"vulnerability":"VCID-s5ah-tf63-a7cw"},{"vulnerability":"VCID-t684-yp58-hkg8"},{"vulnerability":"VCID-v3r3-bwp5-a3bn"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"},{"vulnerability":"VCID-z1jv-4ga2-7kd1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@4.1.0.beta2"},{"url":"http://public2.vulnerablecode.io/api/packages/134457?format=json","purl":"pkg:gem/rails@4.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2mcx-b9k2-83bh"},{"vulnerability":"VCID-35rt-t6e1-pfa6"},{"vulnerability":"VCID-3wtf-uu89-2qe5"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-877d-u9ag-qqdr"},{"vulnerability":"VCID-895a-ydc5-zfg6"},{"vulnerability":"VCID-8dad-dvat-1fg4"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-c8b5-d83n-nuhw"},{"vulnerability":"VCID-es1t-7196-4kbb"},{"vulnerability":"VCID-g5q6-7uav-sqh1"},{"vulnerability":"VCID-gsx2-9sc2-3fbr"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-pb5f-g4uc-r7fp"},{"vulnerability":"VCID-s5ah-tf63-a7cw"},{"vulnerability":"VCID-t684-yp58-hkg8"},{"vulnerability":"VCID-v3r3-bwp5-a3bn"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"},{"vulnerability":"VCID-z1jv-4ga2-7kd1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@4.1.0"}],"aliases":["CVE-2014-0081","GHSA-m46p-ggm5-5j83","OSV-103439"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3wtf-uu89-2qe5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/16106?format=json","vulnerability_id":"VCID-63gy-6njy-kbd8","summary":"ReDoS based DoS vulnerability in Action Dispatch\nThere is a possible regular expression based DoS vulnerability in Action Dispatch. Specially crafted cookies, in combination with a specially crafted `X_FORWARDED_HOST` header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22792.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22792.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22792","reference_id":"","reference_type":"","scores":[{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85707","published_at":"2026-04-13T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85711","published_at":"2026-04-12T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85715","published_at":"2026-04-11T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85646","published_at":"2026-04-02T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85689","published_at":"2026-04-08T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.8567","published_at":"2026-04-07T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85663","published_at":"2026-04-04T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85701","published_at":"2026-04-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22792"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/"}],"url":"https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/releases/tag/v7.0.4.1","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v7.0.4.1"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22792.yml","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22792.yml"},{"reference_url":"https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240202-0007","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20240202-0007"},{"reference_url":"https://www.debian.org/security/2023/dsa-5372","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/"}],"url":"https://www.debian.org/security/2023/dsa-5372"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050","reference_id":"1030050","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2164800","reference_id":"2164800","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2164800"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22792","reference_id":"CVE-2023-22792","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22792"},{"reference_url":"https://github.com/advisories/GHSA-p84v-45xj-wwqj","reference_id":"GHSA-p84v-45xj-wwqj","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p84v-45xj-wwqj"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240202-0007/","reference_id":"ntap-20240202-0007","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/"}],"url":"https://security.netapp.com/advisory/ntap-20240202-0007/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:6818","reference_id":"RHSA-2023:6818","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:6818"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55817?format=json","purl":"pkg:gem/rails@6.0.6.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-65tq-e5eb-eucj"},{"vulnerability":"VCID-hppf-a715-r7b2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.6.1"},{"url":"http://public2.vulnerablecode.io/api/packages/55818?format=json","purl":"pkg:gem/rails@6.1.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-65tq-e5eb-eucj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.1.7.1"},{"url":"http://public2.vulnerablecode.io/api/packages/55813?format=json","purl":"pkg:gem/rails@7.0.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bh7-drnb-7ygg"},{"vulnerability":"VCID-65tq-e5eb-eucj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@7.0.4.1"}],"aliases":["CVE-2023-22792","GHSA-p84v-45xj-wwqj","GMS-2023-58"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-63gy-6njy-kbd8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8402?format=json","vulnerability_id":"VCID-877d-u9ag-qqdr","summary":"Rails Denial of Service vulnerability\nUnspecified vulnerability in the \"dependency resolution mechanism\" in Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby code via a URL that is not properly handled in the routing code, which leads to a denial of service (application hang) or \"data loss,\" a different vulnerability than CVE-2006-4111.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2006-4112","reference_id":"","reference_type":"","scores":[{"value":"0.07371","scoring_system":"epss","scoring_elements":"0.91681","published_at":"2026-04-01T12:55:00Z"},{"value":"0.07371","scoring_system":"epss","scoring_elements":"0.91724","published_at":"2026-04-13T12:55:00Z"},{"value":"0.07371","scoring_system":"epss","scoring_elements":"0.91728","published_at":"2026-04-12T12:55:00Z"},{"value":"0.07371","scoring_system":"epss","scoring_elements":"0.91726","published_at":"2026-04-11T12:55:00Z"},{"value":"0.07371","scoring_system":"epss","scoring_elements":"0.91723","published_at":"2026-04-09T12:55:00Z"},{"value":"0.07371","scoring_system":"epss","scoring_elements":"0.91716","published_at":"2026-04-08T12:55:00Z"},{"value":"0.07371","scoring_system":"epss","scoring_elements":"0.91695","published_at":"2026-04-04T12:55:00Z"},{"value":"0.07371","scoring_system":"epss","scoring_elements":"0.9169","published_at":"2026-04-02T12:55:00Z"},{"value":"0.07371","scoring_system":"epss","scoring_elements":"0.91703","published_at":"2026-04-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2006-4112"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4112","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4112"},{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/28364","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/28364"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://web.archive.org/web/20200301174340/http://www.securityfocus.com/bid/19454","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200301174340/http://www.securityfocus.com/bid/19454"},{"reference_url":"https://web.archive.org/web/20200804225700/http://www.securityfocus.com/archive/1/442934/100/0/threaded","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200804225700/http://www.securityfocus.com/archive/1/442934/100/0/threaded"},{"reference_url":"https://web.archive.org/web/20200808083046/http://securitytracker.com/id?1016673","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200808083046/http://securitytracker.com/id?1016673"},{"reference_url":"http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure"},{"reference_url":"http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml"},{"reference_url":"http://www.kb.cert.org/vuls/id/699540","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.kb.cert.org/vuls/id/699540"},{"reference_url":"http://www.novell.com/linux/security/advisories/2006_21_sr.html","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.novell.com/linux/security/advisories/2006_21_sr.html"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=382255","reference_id":"382255","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=382255"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2006-4112","reference_id":"CVE-2006-4112","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2006-4112"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2006-4112.yml","reference_id":"CVE-2006-4112.YML","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2006-4112.yml"},{"reference_url":"https://github.com/advisories/GHSA-9wrq-xvmp-xjc8","reference_id":"GHSA-9wrq-xvmp-xjc8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9wrq-xvmp-xjc8"},{"reference_url":"https://security.gentoo.org/glsa/200608-20","reference_id":"GLSA-200608-20","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/200608-20"}],"fixed_packages":[],"aliases":["CVE-2006-4112","GHSA-9wrq-xvmp-xjc8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-877d-u9ag-qqdr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/33951?format=json","vulnerability_id":"VCID-895a-ydc5-zfg6","summary":"Circumvention of file size limits in ActiveStorage\nThere is a vulnerability in ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user.\n\nVersions Affected:  rails < 5.2.4.2, rails < 6.0.3.1\nNot affected:       Applications that do not use the direct upload functionality of the ActiveStorage S3 adapter.\nFixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1\n\nImpact\n------\n\nUtilizing this vulnerability, an attacker can control the Content-Length of an S3 direct upload URL without receiving a new signature from the server. This could be used to bypass controls in place on the server to limit upload size.\n\nWorkarounds\n-----------\n\nThis is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8162.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8162.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8162","reference_id":"","reference_type":"","scores":[{"value":"0.01549","scoring_system":"epss","scoring_elements":"0.81411","published_at":"2026-04-13T12:55:00Z"},{"value":"0.01549","scoring_system":"epss","scoring_elements":"0.81418","published_at":"2026-04-12T12:55:00Z"},{"value":"0.01549","scoring_system":"epss","scoring_elements":"0.81378","published_at":"2026-04-04T12:55:00Z"},{"value":"0.01549","scoring_system":"epss","scoring_elements":"0.81431","published_at":"2026-04-11T12:55:00Z"},{"value":"0.01549","scoring_system":"epss","scoring_elements":"0.81409","published_at":"2026-04-09T12:55:00Z"},{"value":"0.01549","scoring_system":"epss","scoring_elements":"0.81405","published_at":"2026-04-08T12:55:00Z"},{"value":"0.01549","scoring_system":"epss","scoring_elements":"0.81376","published_at":"2026-04-07T12:55:00Z"},{"value":"0.01549","scoring_system":"epss","scoring_elements":"0.81347","published_at":"2026-04-01T12:55:00Z"},{"value":"0.01549","scoring_system":"epss","scoring_elements":"0.81356","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8162"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167"},{"reference_url":"https://github.com/aws/aws-sdk-ruby","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/aws/aws-sdk-ruby"},{"reference_url":"https://github.com/aws/aws-sdk-ruby/issues/2098","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/aws/aws-sdk-ruby/issues/2098"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2020-8162.yml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2020-8162.yml"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3946mreQ","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3946mreQ"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/PjU3946mreQ","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/PjU3946mreQ"},{"reference_url":"https://hackerone.com/reports/789579","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/789579"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8162","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8162"},{"reference_url":"https://www.debian.org/security/2020/dsa-4766","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2020/dsa-4766"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1843005","reference_id":"1843005","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1843005"},{"reference_url":"https://github.com/advisories/GHSA-m42x-37p3-fv5w","reference_id":"GHSA-m42x-37p3-fv5w","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m42x-37p3-fv5w"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:1313","reference_id":"RHSA-2021:1313","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:1313"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/208404?format=json","purl":"pkg:gem/rails@5.2.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5qu2-b8gt-7qe3"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-65tq-e5eb-eucj"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-es1t-7196-4kbb"},{"vulnerability":"VCID-gjey-bqtd-kqa1"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-t684-yp58-hkg8"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.4.2"},{"url":"http://public2.vulnerablecode.io/api/packages/208415?format=json","purl":"pkg:gem/rails@6.0.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12x8-jxdf-jqdz"},{"vulnerability":"VCID-1bxs-yghe-cyck"},{"vulnerability":"VCID-1xgz-hwng-n3eq"},{"vulnerability":"VCID-5qu2-b8gt-7qe3"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-65tq-e5eb-eucj"},{"vulnerability":"VCID-gjey-bqtd-kqa1"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"},{"vulnerability":"VCID-wyy6-h8bq-vyde"},{"vulnerability":"VCID-zy7d-3db6-sydw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.3.1"}],"aliases":["CVE-2020-8162","GHSA-m42x-37p3-fv5w"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-895a-ydc5-zfg6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/10455?format=json","vulnerability_id":"VCID-8dad-dvat-1fg4","summary":"Path Traversal in Action View\n# File Content Disclosure in Action View\n\nImpact \n------ \nThere is a possible file content disclosure vulnerability in Action View.  Specially crafted accept headers in combination with calls to `render file:`  can cause arbitrary files on the target server to be rendered, disclosing the  file contents. \n\nThe impact is limited to calls to `render` which render file contents without  a specified accept format.  Impacted code in a controller looks something like this: \n\n``` ruby\nclass UserController < ApplicationController \n  def index \n    render file: \"#{Rails.root}/some/file\" \n  end \nend \n``` \n\nRendering templates as opposed to files is not impacted by this vulnerability. \n\nAll users running an affected release should either upgrade or use one of the workarounds immediately. \n\nReleases \n-------- \nThe 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are available at the normal locations. \n\nWorkarounds \n----------- \nThis vulnerability can be mitigated by specifying a format for file rendering, like this: \n\n``` ruby\nclass UserController < ApplicationController \n  def index \n    render file: \"#{Rails.root}/some/file\", formats: [:html] \n  end \nend \n``` \n\nIn summary, impacted calls to `render` look like this: \n\n``` \nrender file: \"#{Rails.root}/some/file\" \n``` \n\nThe vulnerability can be mitigated by changing to this: \n\n``` \nrender file: \"#{Rails.root}/some/file\", formats: [:html] \n``` \n\nOther calls to `render` are not impacted. \n\nAlternatively, the following monkey patch can be applied in an initializer: \n\n``` ruby\n$ cat config/initializers/formats_filter.rb \n# frozen_string_literal: true \n\nActionDispatch::Request.prepend(Module.new do \n  def formats \n    super().select do |format| \n      format.symbol || format.ref == \"*/*\" \n    end \n  end \nend) \n``` \n\nCredits \n------- \nThanks to John Hawthorn <john@hawthorn.email> of GitHub","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/"}],"url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html"},{"reference_url":"http://packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Content-Disclosure.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/"}],"url":"http://packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Content-Disclosure.html"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:0796","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/"}],"url":"https://access.redhat.com/errata/RHSA-2019:0796"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:1147","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/"}],"url":"https://access.redhat.com/errata/RHSA-2019:1147"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:1149","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/"}],"url":"https://access.redhat.com/errata/RHSA-2019:1149"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:1289","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/"}],"url":"https://access.redhat.com/errata/RHSA-2019:1289"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-5418.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-5418.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-5418","reference_id":"","reference_type":"","scores":[{"value":"0.94318","scoring_system":"epss","scoring_elements":"0.9995","published_at":"2026-04-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-5418"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5418","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5418"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://groups.google.com/forum/#%21topic/rubyonrails-security/pFRKI96Sm8Q","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/"}],"url":"https://groups.google.com/forum/#%21topic/rubyonrails-security/pFRKI96Sm8Q"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/zRNVOUhKHrg","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/zRNVOUhKHrg"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA"},{"reference_url":"https://web.archive.org/web/20190313201629/https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20190313201629/https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released"},{"reference_url":"https://web.archive.org/web/20190313201629/https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/","reference_id":"","reference_type":"","scores":[],"url":"https://web.archive.org/web/20190313201629/https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/"},{"reference_url":"https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released"},{"reference_url":"https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/"}],"url":"https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-5418","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-5418"},{"reference_url":"https://www.exploit-db.com/exploits/46585","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.exploit-db.com/exploits/46585"},{"reference_url":"https://www.exploit-db.com/exploits/46585/","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/"}],"url":"https://www.exploit-db.com/exploits/46585/"},{"reference_url":"http://www.openwall.com/lists/oss-security/2019/03/22/1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/"}],"url":"http://www.openwall.com/lists/oss-security/2019/03/22/1"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1689159","reference_id":"1689159","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1689159"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924520","reference_id":"924520","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924520"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*","reference_id":"cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/46585.py","reference_id":"CVE-2019-5418","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/46585.py"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-5418","reference_id":"CVE-2019-5418","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:N/C:P/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-5418"},{"reference_url":"https://github.com/advisories/GHSA-86g5-2wh3-gc9j","reference_id":"GHSA-86g5-2wh3-gc9j","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-86g5-2wh3-gc9j"},{"reference_url":"https://usn.ubuntu.com/7646-1/","reference_id":"USN-7646-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7646-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/35619?format=json","purl":"pkg:gem/rails@4.2.11.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5qu2-b8gt-7qe3"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-895a-ydc5-zfg6"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-es1t-7196-4kbb"},{"vulnerability":"VCID-g5q6-7uav-sqh1"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-t684-yp58-hkg8"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@4.2.11.1"},{"url":"http://public2.vulnerablecode.io/api/packages/35621?format=json","purl":"pkg:gem/rails@5.0.7.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5qu2-b8gt-7qe3"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-895a-ydc5-zfg6"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-es1t-7196-4kbb"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-t684-yp58-hkg8"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.0.7.2"},{"url":"http://public2.vulnerablecode.io/api/packages/35623?format=json","purl":"pkg:gem/rails@5.1.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5qu2-b8gt-7qe3"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-895a-ydc5-zfg6"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-es1t-7196-4kbb"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-t684-yp58-hkg8"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.1.6.2"},{"url":"http://public2.vulnerablecode.io/api/packages/35625?format=json","purl":"pkg:gem/rails@5.2.2.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5qu2-b8gt-7qe3"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-65tq-e5eb-eucj"},{"vulnerability":"VCID-895a-ydc5-zfg6"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-es1t-7196-4kbb"},{"vulnerability":"VCID-gjey-bqtd-kqa1"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-t684-yp58-hkg8"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.2.1"}],"aliases":["CVE-2019-5418","GHSA-86g5-2wh3-gc9j"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8dad-dvat-1fg4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/33938?format=json","vulnerability_id":"VCID-a6sp-18av-wya6","summary":"Possible Strong Parameters Bypass in ActionPack\nThere is a strong parameters bypass vector in ActionPack.\n\nVersions Affected:  rails <= 6.0.3\nNot affected:       rails < 5.0.0\nFixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1\n\nImpact\n------\nIn some cases user supplied information can be inadvertently leaked from\nStrong Parameters.  Specifically the return value of `each`, or `each_value`,\nor `each_pair` will return the underlying \"untrusted\" hash of data that was\nread from the parameters.  Applications that use this return value may be\ninadvertently use untrusted user input.\n\nImpacted code will look something like this:\n\n```\ndef update\n  # Attacker has included the parameter: `{ is_admin: true }`\n  User.update(clean_up_params)\nend\n\ndef clean_up_params\n   params.each { |k, v|  SomeModel.check(v) if k == :name }\nend\n```\n\nNote the mistaken use of `each` in the `clean_up_params` method in the above\nexample.\n\nWorkarounds\n-----------\nDo not use the return values of `each`, `each_value`, or `each_pair` in your\napplication.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8164.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8164.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8164","reference_id":"","reference_type":"","scores":[{"value":"0.07389","scoring_system":"epss","scoring_elements":"0.91732","published_at":"2026-04-13T12:55:00Z"},{"value":"0.07389","scoring_system":"epss","scoring_elements":"0.9169","published_at":"2026-04-01T12:55:00Z"},{"value":"0.07389","scoring_system":"epss","scoring_elements":"0.91698","published_at":"2026-04-02T12:55:00Z"},{"value":"0.07389","scoring_system":"epss","scoring_elements":"0.91703","published_at":"2026-04-04T12:55:00Z"},{"value":"0.07389","scoring_system":"epss","scoring_elements":"0.91712","published_at":"2026-04-07T12:55:00Z"},{"value":"0.07389","scoring_system":"epss","scoring_elements":"0.91724","published_at":"2026-04-08T12:55:00Z"},{"value":"0.07389","scoring_system":"epss","scoring_elements":"0.91731","published_at":"2026-04-09T12:55:00Z"},{"value":"0.07389","scoring_system":"epss","scoring_elements":"0.91734","published_at":"2026-04-11T12:55:00Z"},{"value":"0.07389","scoring_system":"epss","scoring_elements":"0.91736","published_at":"2026-04-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8164"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8164.yml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8164.yml"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY"},{"reference_url":"https://hackerone.com/reports/292797","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/292797"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8164","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8164"},{"reference_url":"https://www.debian.org/security/2020/dsa-4766","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2020/dsa-4766"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1842634","reference_id":"1842634","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1842634"},{"reference_url":"https://github.com/advisories/GHSA-8727-m6gj-mc37","reference_id":"GHSA-8727-m6gj-mc37","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8727-m6gj-mc37"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:1313","reference_id":"RHSA-2021:1313","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:1313"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/208405?format=json","purl":"pkg:gem/rails@5.2.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5qu2-b8gt-7qe3"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-65tq-e5eb-eucj"},{"vulnerability":"VCID-gjey-bqtd-kqa1"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.4.3"},{"url":"http://public2.vulnerablecode.io/api/packages/208415?format=json","purl":"pkg:gem/rails@6.0.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12x8-jxdf-jqdz"},{"vulnerability":"VCID-1bxs-yghe-cyck"},{"vulnerability":"VCID-1xgz-hwng-n3eq"},{"vulnerability":"VCID-5qu2-b8gt-7qe3"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-65tq-e5eb-eucj"},{"vulnerability":"VCID-gjey-bqtd-kqa1"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"},{"vulnerability":"VCID-wyy6-h8bq-vyde"},{"vulnerability":"VCID-zy7d-3db6-sydw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.3.1"}],"aliases":["CVE-2020-8164","GHSA-8727-m6gj-mc37"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a6sp-18av-wya6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/10495?format=json","vulnerability_id":"VCID-c8b5-d83n-nuhw","summary":"Allocation of Resources Without Limits or Throttling\nThere is a possible denial of service vulnerability in Action View (Rails)  where specially crafted accept headers can cause action view to consume % cpu and make the server unresponsive.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:0796","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2019:0796"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:1147","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2019:1147"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:1149","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2019:1149"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:1289","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2019:1289"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-5419.json","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-5419.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-5419","reference_id":"","reference_type":"","scores":[{"value":"0.12118","scoring_system":"epss","scoring_elements":"0.93803","published_at":"2026-04-13T12:55:00Z"},{"value":"0.12118","scoring_system":"epss","scoring_elements":"0.93764","published_at":"2026-04-01T12:55:00Z"},{"value":"0.12118","scoring_system":"epss","scoring_elements":"0.93773","published_at":"2026-04-02T12:55:00Z"},{"value":"0.12118","scoring_system":"epss","scoring_elements":"0.93783","published_at":"2026-04-04T12:55:00Z"},{"value":"0.12118","scoring_system":"epss","scoring_elements":"0.93787","published_at":"2026-04-07T12:55:00Z"},{"value":"0.12118","scoring_system":"epss","scoring_elements":"0.93795","published_at":"2026-04-08T12:55:00Z"},{"value":"0.12118","scoring_system":"epss","scoring_elements":"0.93798","published_at":"2026-04-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-5419"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5419","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5419"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/f4c70c2222180b8d9d924f00af0c7fd632e26715","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/f4c70c2222180b8d9d924f00af0c7fd632e26715"},{"reference_url":"https://github.com/rails/rails/pull/35708","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/pull/35708"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2019-5419.yml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2019-5419.yml"},{"reference_url":"https://groups.google.com/forum/#%21topic/rubyonrails-security/GN7w9fFAQeI","reference_id":"","reference_type":"","scores":[],"url":"https://groups.google.com/forum/#%21topic/rubyonrails-security/GN7w9fFAQeI"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/"},{"reference_url":"https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released"},{"reference_url":"https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/","reference_id":"","reference_type":"","scores":[],"url":"https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/"},{"reference_url":"http://www.openwall.com/lists/oss-security/2019/03/22/1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2019/03/22/1"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1689160","reference_id":"1689160","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1689160"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924520","reference_id":"924520","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924520"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*","reference_id":"cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-5419","reference_id":"CVE-2019-5419","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:N/C:N/I:N/A:C"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-5419"},{"reference_url":"https://github.com/advisories/GHSA-m63j-wh5w-c252","reference_id":"GHSA-m63j-wh5w-c252","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m63j-wh5w-c252"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/35619?format=json","purl":"pkg:gem/rails@4.2.11.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5qu2-b8gt-7qe3"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-895a-ydc5-zfg6"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-es1t-7196-4kbb"},{"vulnerability":"VCID-g5q6-7uav-sqh1"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-t684-yp58-hkg8"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@4.2.11.1"},{"url":"http://public2.vulnerablecode.io/api/packages/35621?format=json","purl":"pkg:gem/rails@5.0.7.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5qu2-b8gt-7qe3"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-895a-ydc5-zfg6"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-es1t-7196-4kbb"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-t684-yp58-hkg8"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.0.7.2"},{"url":"http://public2.vulnerablecode.io/api/packages/35623?format=json","purl":"pkg:gem/rails@5.1.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5qu2-b8gt-7qe3"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-895a-ydc5-zfg6"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-es1t-7196-4kbb"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-t684-yp58-hkg8"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.1.6.2"},{"url":"http://public2.vulnerablecode.io/api/packages/35625?format=json","purl":"pkg:gem/rails@5.2.2.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5qu2-b8gt-7qe3"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-65tq-e5eb-eucj"},{"vulnerability":"VCID-895a-ydc5-zfg6"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-es1t-7196-4kbb"},{"vulnerability":"VCID-gjey-bqtd-kqa1"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-t684-yp58-hkg8"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.2.1"}],"aliases":["CVE-2019-5419","GHSA-m63j-wh5w-c252"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c8b5-d83n-nuhw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/33504?format=json","vulnerability_id":"VCID-es1t-7196-4kbb","summary":"CSRF Vulnerability in rails-ujs\nThere is a vulnerability in rails-ujs that allows attackers to send CSRF tokens to wrong domains.\n\nVersions Affected:  rails <= 6.0.3\nNot affected:       Applications which don't use rails-ujs.\nFixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1\n\nImpact\n------\n\nThis is a regression of CVE-2015-1840.\n\nIn the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the href or action to a cross-origin URL, and the CSRF token will be sent.\n\nWorkarounds\n-----------\n\nTo work around this problem, change code that allows users to control the href attribute of an anchor tag or the action attribute of a form tag to filter the user parameters.\n\nFor example, code like this:\n\n    link_to params\n\nto code like this:\n\n    link_to filtered_params\n\n    def filtered_params\n      # Filter just the parameters that you trust\n    end","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8167.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8167.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8167","reference_id":"","reference_type":"","scores":[{"value":"0.00592","scoring_system":"epss","scoring_elements":"0.69242","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00592","scoring_system":"epss","scoring_elements":"0.69177","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00592","scoring_system":"epss","scoring_elements":"0.69192","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00592","scoring_system":"epss","scoring_elements":"0.69213","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00592","scoring_system":"epss","scoring_elements":"0.69195","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00592","scoring_system":"epss","scoring_elements":"0.69245","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00592","scoring_system":"epss","scoring_elements":"0.69263","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00592","scoring_system":"epss","scoring_elements":"0.69285","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00592","scoring_system":"epss","scoring_elements":"0.69271","published_at":"2026-04-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8167"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-8167.yml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-8167.yml"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/x9DixQDG9a0","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/x9DixQDG9a0"},{"reference_url":"https://hackerone.com/reports/189878","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/189878"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8167","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8167"},{"reference_url":"https://www.debian.org/security/2020/dsa-4766","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2020/dsa-4766"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1843084","reference_id":"1843084","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1843084"},{"reference_url":"https://github.com/advisories/GHSA-xq5j-gw7f-jgj8","reference_id":"GHSA-xq5j-gw7f-jgj8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xq5j-gw7f-jgj8"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:1313","reference_id":"RHSA-2021:1313","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:1313"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/208405?format=json","purl":"pkg:gem/rails@5.2.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5qu2-b8gt-7qe3"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-65tq-e5eb-eucj"},{"vulnerability":"VCID-gjey-bqtd-kqa1"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.4.3"},{"url":"http://public2.vulnerablecode.io/api/packages/208415?format=json","purl":"pkg:gem/rails@6.0.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12x8-jxdf-jqdz"},{"vulnerability":"VCID-1bxs-yghe-cyck"},{"vulnerability":"VCID-1xgz-hwng-n3eq"},{"vulnerability":"VCID-5qu2-b8gt-7qe3"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-65tq-e5eb-eucj"},{"vulnerability":"VCID-gjey-bqtd-kqa1"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"},{"vulnerability":"VCID-wyy6-h8bq-vyde"},{"vulnerability":"VCID-zy7d-3db6-sydw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.3.1"}],"aliases":["CVE-2020-8167","GHSA-xq5j-gw7f-jgj8"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-es1t-7196-4kbb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/33526?format=json","vulnerability_id":"VCID-g5q6-7uav-sqh1","summary":"Remote code execution via user-provided local names in ActionView\nThe is a code injection vulnerability in versions of Rails prior to 5.0.1 that would allow an attacker who controlled the `locals` argument of a `render` call to perform a RCE.","references":[{"reference_url":"http://packetstormsecurity.com/files/158604/Ruby-On-Rails-5.0.1-Remote-Code-Execution.html","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/158604/Ruby-On-Rails-5.0.1-Remote-Code-Execution.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8163.json","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8163.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8163","reference_id":"","reference_type":"","scores":[{"value":"0.90927","scoring_system":"epss","scoring_elements":"0.99632","published_at":"2026-04-07T12:55:00Z"},{"value":"0.90927","scoring_system":"epss","scoring_elements":"0.99631","published_at":"2026-04-04T12:55:00Z"},{"value":"0.90927","scoring_system":"epss","scoring_elements":"0.99633","published_at":"2026-04-13T12:55:00Z"},{"value":"0.90927","scoring_system":"epss","scoring_elements":"0.9963","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8163"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8163","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8163"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-8163.yml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-8163.yml"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/hWuKcHyoKh0","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":""},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/hWuKcHyoKh0"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/hWuKcHyoKh0","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/hWuKcHyoKh0"},{"reference_url":"https://hackerone.com/reports/304805","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/304805"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8163","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8163"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1848724","reference_id":"1848724","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1848724"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/ruby/webapps/48716.rb","reference_id":"CVE-2020-8163","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/ruby/webapps/48716.rb"},{"reference_url":"https://github.com/advisories/GHSA-cr3x-7m39-c6jq","reference_id":"GHSA-cr3x-7m39-c6jq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cr3x-7m39-c6jq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/21671?format=json","purl":"pkg:gem/rails@5.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2mcx-b9k2-83bh"},{"vulnerability":"VCID-3wtf-uu89-2qe5"},{"vulnerability":"VCID-5qu2-b8gt-7qe3"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-6yr6-a21g-dyf5"},{"vulnerability":"VCID-877d-u9ag-qqdr"},{"vulnerability":"VCID-895a-ydc5-zfg6"},{"vulnerability":"VCID-8dad-dvat-1fg4"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-c8b5-d83n-nuhw"},{"vulnerability":"VCID-es1t-7196-4kbb"},{"vulnerability":"VCID-gsx2-9sc2-3fbr"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-t684-yp58-hkg8"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.0.1"}],"aliases":["CVE-2020-8163","GHSA-cr3x-7m39-c6jq"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g5q6-7uav-sqh1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8428?format=json","vulnerability_id":"VCID-gsx2-9sc2-3fbr","summary":"Moderate severity vulnerability that affects rails\nCross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.","references":[{"reference_url":"http://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://github.com/rails/rails"},{"reference_url":"http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5"},{"reference_url":"http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1"},{"reference_url":"http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-4214.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-4214.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-4214","reference_id":"","reference_type":"","scores":[{"value":"0.01632","scoring_system":"epss","scoring_elements":"0.81902","published_at":"2026-04-13T12:55:00Z"},{"value":"0.01632","scoring_system":"epss","scoring_elements":"0.81837","published_at":"2026-04-01T12:55:00Z"},{"value":"0.01632","scoring_system":"epss","scoring_elements":"0.81848","published_at":"2026-04-02T12:55:00Z"},{"value":"0.01632","scoring_system":"epss","scoring_elements":"0.8187","published_at":"2026-04-04T12:55:00Z"},{"value":"0.01632","scoring_system":"epss","scoring_elements":"0.81866","published_at":"2026-04-07T12:55:00Z"},{"value":"0.01632","scoring_system":"epss","scoring_elements":"0.81893","published_at":"2026-04-08T12:55:00Z"},{"value":"0.01632","scoring_system":"epss","scoring_elements":"0.81899","published_at":"2026-04-09T12:55:00Z"},{"value":"0.01632","scoring_system":"epss","scoring_elements":"0.81919","published_at":"2026-04-11T12:55:00Z"},{"value":"0.01632","scoring_system":"epss","scoring_elements":"0.81907","published_at":"2026-04-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-4214"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4214","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4214"},{"reference_url":"http://secunia.com/advisories/37446","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://secunia.com/advisories/37446"},{"reference_url":"http://secunia.com/advisories/38915","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://secunia.com/advisories/38915"},{"reference_url":"http://support.apple.com/kb/HT4077","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://support.apple.com/kb/HT4077"},{"reference_url":"http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released"},{"reference_url":"http://www.debian.org/security/2011/dsa-2260","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2011/dsa-2260"},{"reference_url":"http://www.debian.org/security/2011/dsa-2301","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2011/dsa-2301"},{"reference_url":"http://www.openwall.com/lists/oss-security/2009/11/27/2","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2009/11/27/2"},{"reference_url":"http://www.openwall.com/lists/oss-security/2009/12/08/3","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2009/12/08/3"},{"reference_url":"http://www.securityfocus.com/bid/37142","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/37142"},{"reference_url":"http://www.securitytracker.com/id?1023245","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securitytracker.com/id?1023245"},{"reference_url":"http://www.vupen.com/english/advisories/2009/3352","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.vupen.com/english/advisories/2009/3352"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=542786","reference_id":"542786","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=542786"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=558685","reference_id":"558685","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=558685"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2009-4214","reference_id":"CVE-2009-4214","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2009-4214"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2009-4214.yml","reference_id":"CVE-2009-4214.YML","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2009-4214.yml"},{"reference_url":"https://github.com/advisories/GHSA-9p3v-wf2w-v29c","reference_id":"GHSA-9p3v-wf2w-v29c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9p3v-wf2w-v29c"},{"reference_url":"https://security.gentoo.org/glsa/200912-02","reference_id":"GLSA-200912-02","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/200912-02"}],"fixed_packages":[],"aliases":["CVE-2009-4214","GHSA-9p3v-wf2w-v29c"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gsx2-9sc2-3fbr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/16390?format=json","vulnerability_id":"VCID-hppf-a715-r7b2","summary":"ReDoS based DoS vulnerability in Action Dispatch\nThere is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795. A specially crafted HTTP `If-None-Match` header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22795.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22795.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22795","reference_id":"","reference_type":"","scores":[{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.81266","published_at":"2026-04-13T12:55:00Z"},{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.8121","published_at":"2026-04-02T12:55:00Z"},{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.81234","published_at":"2026-04-07T12:55:00Z"},{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.81262","published_at":"2026-04-08T12:55:00Z"},{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.81267","published_at":"2026-04-09T12:55:00Z"},{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.81288","published_at":"2026-04-11T12:55:00Z"},{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.81274","published_at":"2026-04-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22795"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f"},{"reference_url":"https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0"},{"reference_url":"https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592"},{"reference_url":"https://github.com/rails/rails/releases/tag/v6.1.7.1","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v6.1.7.1"},{"reference_url":"https://github.com/rails/rails/releases/tag/v7.0.4.1","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v7.0.4.1"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml"},{"reference_url":"https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050","reference_id":"1030050","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2164799","reference_id":"2164799","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2164799"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22795","reference_id":"CVE-2023-22795","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22795"},{"reference_url":"https://github.com/advisories/GHSA-8xww-x3g3-6jcv","reference_id":"GHSA-8xww-x3g3-6jcv","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8xww-x3g3-6jcv"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:6818","reference_id":"RHSA-2023:6818","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:6818"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55818?format=json","purl":"pkg:gem/rails@6.1.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-65tq-e5eb-eucj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.1.7.1"},{"url":"http://public2.vulnerablecode.io/api/packages/55813?format=json","purl":"pkg:gem/rails@7.0.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bh7-drnb-7ygg"},{"vulnerability":"VCID-65tq-e5eb-eucj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@7.0.4.1"}],"aliases":["CVE-2023-22795","GHSA-8xww-x3g3-6jcv","GMS-2023-56"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hppf-a715-r7b2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/6901?format=json","vulnerability_id":"VCID-mep3-6sub-ykdk","summary":"Denial of Service Vulnerability when using render :text\nStrings sent in specially crafted headers will be converted to symbols.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html"},{"reference_url":"http://openwall.com/lists/oss-security/2014/02/18/10","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://openwall.com/lists/oss-security/2014/02/18/10"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2014-0215.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2014-0215.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2014-0306.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2014-0306.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-0082.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-0082.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-0082","reference_id":"","reference_type":"","scores":[{"value":"0.06456","scoring_system":"epss","scoring_elements":"0.91044","published_at":"2026-04-07T12:55:00Z"},{"value":"0.06456","scoring_system":"epss","scoring_elements":"0.91035","published_at":"2026-04-04T12:55:00Z"},{"value":"0.06456","scoring_system":"epss","scoring_elements":"0.91021","published_at":"2026-04-01T12:55:00Z"},{"value":"0.06456","scoring_system":"epss","scoring_elements":"0.91071","published_at":"2026-04-13T12:55:00Z"},{"value":"0.06456","scoring_system":"epss","scoring_elements":"0.91062","published_at":"2026-04-09T12:55:00Z"},{"value":"0.06456","scoring_system":"epss","scoring_elements":"0.91056","published_at":"2026-04-08T12:55:00Z"},{"value":"0.06456","scoring_system":"epss","scoring_elements":"0.91026","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-0082"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0081","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0081"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0082","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0082"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0130","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0130"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-0082.yml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-0082.yml"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/LMxO_3_eCuc","reference_id":"","reference_type":"","scores":[],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/LMxO_3_eCuc"},{"reference_url":"https://web.archive.org/web/20201207044540/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/LMxO_3_eCuc/ozGBEhKaJbIJ","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20201207044540/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/LMxO_3_eCuc/ozGBEhKaJbIJ"},{"reference_url":"https://web.archive.org/web/20220315115444/https://puppet.com/security/cve/cve-2014-0082","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20220315115444/https://puppet.com/security/cve/cve-2014-0082"},{"reference_url":"http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release"},{"reference_url":"http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/","reference_id":"","reference_type":"","scores":[],"url":"http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1065538","reference_id":"1065538","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1065538"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-0082","reference_id":"CVE-2014-0082","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-0082"},{"reference_url":"https://github.com/advisories/GHSA-7cgp-c3g7-qvrw","reference_id":"GHSA-7cgp-c3g7-qvrw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7cgp-c3g7-qvrw"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:0215","reference_id":"RHSA-2014:0215","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2014:0215"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:0306","reference_id":"RHSA-2014:0306","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2014:0306"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/20549?format=json","purl":"pkg:gem/rails@3.2.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2mcx-b9k2-83bh"},{"vulnerability":"VCID-35rt-t6e1-pfa6"},{"vulnerability":"VCID-3wtf-uu89-2qe5"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-877d-u9ag-qqdr"},{"vulnerability":"VCID-895a-ydc5-zfg6"},{"vulnerability":"VCID-8dad-dvat-1fg4"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-c8b5-d83n-nuhw"},{"vulnerability":"VCID-es1t-7196-4kbb"},{"vulnerability":"VCID-g5q6-7uav-sqh1"},{"vulnerability":"VCID-gsx2-9sc2-3fbr"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-t684-yp58-hkg8"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"},{"vulnerability":"VCID-z1jv-4ga2-7kd1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@3.2.17"}],"aliases":["CVE-2014-0082","GHSA-7cgp-c3g7-qvrw","OSV-103440"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mep3-6sub-ykdk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/34108?format=json","vulnerability_id":"VCID-mnkw-23eu-bkgc","summary":"Ability to forge per-form CSRF tokens in Rails\nIt is possible to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token for any action for that session.\n\nImpact\n------\n\nGiven the ability to extract the global CSRF token, an attacker would be able to construct a per-form CSRF token for that session.\n\nWorkarounds\n-----------\n\nThis is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8166.json","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8166.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8166","reference_id":"","reference_type":"","scores":[{"value":"0.00443","scoring_system":"epss","scoring_elements":"0.63311","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00443","scoring_system":"epss","scoring_elements":"0.63348","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00443","scoring_system":"epss","scoring_elements":"0.63364","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00443","scoring_system":"epss","scoring_elements":"0.63347","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00443","scoring_system":"epss","scoring_elements":"0.63329","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00443","scoring_system":"epss","scoring_elements":"0.63278","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00443","scoring_system":"epss","scoring_elements":"0.63312","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00443","scoring_system":"epss","scoring_elements":"0.63284","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00443","scoring_system":"epss","scoring_elements":"0.63225","published_at":"2026-04-01T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8166"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8166.yml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8166.yml"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":""},{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw","reference_id":"","reference_type":"","scores":[],"url":"https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw"},{"reference_url":"https://hackerone.com/reports/732415","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/732415"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8166","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8166"},{"reference_url":"https://www.debian.org/security/2020/dsa-4766","reference_id":"","reference_type":"","scores":[],"url":"https://www.debian.org/security/2020/dsa-4766"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1843152","reference_id":"1843152","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1843152"},{"reference_url":"https://github.com/advisories/GHSA-jp5v-5gx4-jmj9","reference_id":"GHSA-jp5v-5gx4-jmj9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jp5v-5gx4-jmj9"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:1313","reference_id":"RHSA-2021:1313","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:1313"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/208405?format=json","purl":"pkg:gem/rails@5.2.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5qu2-b8gt-7qe3"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-65tq-e5eb-eucj"},{"vulnerability":"VCID-gjey-bqtd-kqa1"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.4.3"},{"url":"http://public2.vulnerablecode.io/api/packages/208415?format=json","purl":"pkg:gem/rails@6.0.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12x8-jxdf-jqdz"},{"vulnerability":"VCID-1bxs-yghe-cyck"},{"vulnerability":"VCID-1xgz-hwng-n3eq"},{"vulnerability":"VCID-5qu2-b8gt-7qe3"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-65tq-e5eb-eucj"},{"vulnerability":"VCID-gjey-bqtd-kqa1"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"},{"vulnerability":"VCID-wyy6-h8bq-vyde"},{"vulnerability":"VCID-zy7d-3db6-sydw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.3.1"}],"aliases":["CVE-2020-8166","GHSA-jp5v-5gx4-jmj9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mnkw-23eu-bkgc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/6870?format=json","vulnerability_id":"VCID-pmrb-t3bm-zkb6","summary":"Denial of Service Vulnerability in Action View\nThere is a denial of service vulnerability in the header handling component of Action View. Strings sent in specially crafted headers will be cached indefinitely. This can cause the cache to grow infinitely, which will eventually consume all memory on the target machine, causing a denial of service.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html"},{"reference_url":"http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html"},{"reference_url":"http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html"},{"reference_url":"http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2013-1794.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2013-1794.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2014-0008.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2014-0008.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2014-1863.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2014-1863.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-6414.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-6414.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-6414","reference_id":"","reference_type":"","scores":[{"value":"0.70843","scoring_system":"epss","scoring_elements":"0.98687","published_at":"2026-04-01T12:55:00Z"},{"value":"0.70843","scoring_system":"epss","scoring_elements":"0.987","published_at":"2026-04-13T12:55:00Z"},{"value":"0.70843","scoring_system":"epss","scoring_elements":"0.98699","published_at":"2026-04-12T12:55:00Z"},{"value":"0.70843","scoring_system":"epss","scoring_elements":"0.98696","published_at":"2026-04-09T12:55:00Z"},{"value":"0.70843","scoring_system":"epss","scoring_elements":"0.98695","published_at":"2026-04-07T12:55:00Z"},{"value":"0.70843","scoring_system":"epss","scoring_elements":"0.98691","published_at":"2026-04-04T12:55:00Z"},{"value":"0.70843","scoring_system":"epss","scoring_elements":"0.98688","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-6414"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4389","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4389"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4491","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4491"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6414","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6414"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6415","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6415"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6417","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6417"},{"reference_url":"http://seclists.org/oss-sec/2013/q4/400","reference_id":"","reference_type":"","scores":[],"url":"http://seclists.org/oss-sec/2013/q4/400"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2013-6414.yml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2013-6414.yml"},{"reference_url":"https://groups.google.com/forum/message/raw?msg=ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/message/raw?msg=ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ"},{"reference_url":"https://groups.google.com/forum/#!topic/ruby-security-ann/A-ebV4WxzKg","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/ruby-security-ann/A-ebV4WxzKg"},{"reference_url":"https://puppet.com/security/cve/cve-2013-6414","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://puppet.com/security/cve/cve-2013-6414"},{"reference_url":"https://web.archive.org/web/20160421165124/http://secunia.com/advisories/57836","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20160421165124/http://secunia.com/advisories/57836"},{"reference_url":"https://web.archive.org/web/20160808161629/https://puppet.com/security/cve/cve-2013-6414","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20160808161629/https://puppet.com/security/cve/cve-2013-6414"},{"reference_url":"http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released"},{"reference_url":"http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/","reference_id":"","reference_type":"","scores":[],"url":"http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/"},{"reference_url":"http://www.debian.org/security/2014/dsa-2888","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2014/dsa-2888"},{"reference_url":"http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release"},{"reference_url":"http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/","reference_id":"","reference_type":"","scores":[],"url":"http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1036483","reference_id":"1036483","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1036483"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2013-6414","reference_id":"CVE-2013-6414","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2013-6414"},{"reference_url":"https://github.com/advisories/GHSA-mpxf-gcw2-pw5q","reference_id":"GHSA-mpxf-gcw2-pw5q","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mpxf-gcw2-pw5q"},{"reference_url":"https://access.redhat.com/errata/RHSA-2013:1794","reference_id":"RHSA-2013:1794","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2013:1794"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:0008","reference_id":"RHSA-2014:0008","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2014:0008"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/20476?format=json","purl":"pkg:gem/rails@3.2.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2mcx-b9k2-83bh"},{"vulnerability":"VCID-35rt-t6e1-pfa6"},{"vulnerability":"VCID-3wtf-uu89-2qe5"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-877d-u9ag-qqdr"},{"vulnerability":"VCID-895a-ydc5-zfg6"},{"vulnerability":"VCID-8dad-dvat-1fg4"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-c8b5-d83n-nuhw"},{"vulnerability":"VCID-es1t-7196-4kbb"},{"vulnerability":"VCID-g5q6-7uav-sqh1"},{"vulnerability":"VCID-gsx2-9sc2-3fbr"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-mep3-6sub-ykdk"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-t684-yp58-hkg8"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"},{"vulnerability":"VCID-z1jv-4ga2-7kd1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@3.2.16"},{"url":"http://public2.vulnerablecode.io/api/packages/20477?format=json","purl":"pkg:gem/rails@4.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2mcx-b9k2-83bh"},{"vulnerability":"VCID-35rt-t6e1-pfa6"},{"vulnerability":"VCID-3wtf-uu89-2qe5"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-877d-u9ag-qqdr"},{"vulnerability":"VCID-895a-ydc5-zfg6"},{"vulnerability":"VCID-8dad-dvat-1fg4"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-c8b5-d83n-nuhw"},{"vulnerability":"VCID-es1t-7196-4kbb"},{"vulnerability":"VCID-g5q6-7uav-sqh1"},{"vulnerability":"VCID-gsx2-9sc2-3fbr"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-n5fx-u6fs-vydu"},{"vulnerability":"VCID-pb5f-g4uc-r7fp"},{"vulnerability":"VCID-s5ah-tf63-a7cw"},{"vulnerability":"VCID-t684-yp58-hkg8"},{"vulnerability":"VCID-v3r3-bwp5-a3bn"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"},{"vulnerability":"VCID-z1jv-4ga2-7kd1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@4.0.2"}],"aliases":["CVE-2013-6414","GHSA-mpxf-gcw2-pw5q","OSV-100525"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pmrb-t3bm-zkb6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/33875?format=json","vulnerability_id":"VCID-t684-yp58-hkg8","summary":"ActiveSupport potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore\nIn ActiveSupport, there is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when\nuntrusted user input is written to the cache store using the `raw: true` parameter, re-reading the result\nfrom the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like:\n\n```\ndata = cache.fetch(\"demo\", raw: true) { untrusted_string }\n```\nVersions Affected:  rails < 5.2.5, rails < 6.0.4\nNot affected:       Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the `raw` option when storing untrusted user input.\nFixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1\n  \nImpact\n------\nUnmarshalling of untrusted user input can have impact up to and including RCE. At a minimum,\nthis vulnerability allows an attacker to inject untrusted Ruby objects into a web application.\nIn addition to upgrading to the latest versions of Rails, developers should ensure that whenever\nthey are calling `Rails.cache.fetch` they are using consistent values of the `raw` parameter for both\nreading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes,\ndetect if data was serialized using the raw option upon deserialization.\n\nWorkarounds\n-----------\nIt is recommended that application developers apply the suggested patch or upgrade to the latest release as\nsoon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using\nthe `raw` argument should be double-checked to ensure that they conform to the expected format.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00031.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00031.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00034.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00034.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8165.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8165.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8165","reference_id":"","reference_type":"","scores":[{"value":"0.90128","scoring_system":"epss","scoring_elements":"0.99586","published_at":"2026-04-04T12:55:00Z"},{"value":"0.90128","scoring_system":"epss","scoring_elements":"0.99588","published_at":"2026-04-13T12:55:00Z"},{"value":"0.90128","scoring_system":"epss","scoring_elements":"0.99584","published_at":"2026-04-01T12:55:00Z"},{"value":"0.90128","scoring_system":"epss","scoring_elements":"0.99585","published_at":"2026-04-02T12:55:00Z"},{"value":"0.90128","scoring_system":"epss","scoring_elements":"0.99587","published_at":"2026-04-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8165"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2020-8165.yml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2020-8165.yml"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":""},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/bv6fW4S0Y1c","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/bv6fW4S0Y1c"},{"reference_url":"https://hackerone.com/reports/413388","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/413388"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8165","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8165"},{"reference_url":"https://security.netapp.com/advisory/ntap-20250509-0002","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20250509-0002"},{"reference_url":"https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released"},{"reference_url":"https://www.debian.org/security/2020/dsa-4766","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2020/dsa-4766"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1843072","reference_id":"1843072","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1843072"},{"reference_url":"https://github.com/advisories/GHSA-2p68-f74v-9wc6","reference_id":"GHSA-2p68-f74v-9wc6","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2p68-f74v-9wc6"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:1313","reference_id":"RHSA-2021:1313","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:1313"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/208405?format=json","purl":"pkg:gem/rails@5.2.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5qu2-b8gt-7qe3"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-65tq-e5eb-eucj"},{"vulnerability":"VCID-gjey-bqtd-kqa1"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.4.3"},{"url":"http://public2.vulnerablecode.io/api/packages/208415?format=json","purl":"pkg:gem/rails@6.0.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12x8-jxdf-jqdz"},{"vulnerability":"VCID-1bxs-yghe-cyck"},{"vulnerability":"VCID-1xgz-hwng-n3eq"},{"vulnerability":"VCID-5qu2-b8gt-7qe3"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-65tq-e5eb-eucj"},{"vulnerability":"VCID-gjey-bqtd-kqa1"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"},{"vulnerability":"VCID-wyy6-h8bq-vyde"},{"vulnerability":"VCID-zy7d-3db6-sydw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.3.1"}],"aliases":["CVE-2020-8165","GHSA-2p68-f74v-9wc6"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t684-yp58-hkg8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47410?format=json","vulnerability_id":"VCID-wg3a-j2dp-ayh4","summary":"Possible DoS Vulnerability in Action Controller Token Authentication\nThere is a possible DoS vulnerability in the Token Authentication logic in Action Controller.\n\nVersions Affected:  >= 4.0.0\nNot affected:       < 4.0.0\nFixed Versions:     6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6\n\nImpact\n------\nImpacted code uses `authenticate_or_request_with_http_token` or `authenticate_with_http_token` for request authentication.  Impacted code will look something like this:\n\n```\nclass PostsController < ApplicationController\n  before_action :authenticate\n\n  private\n\n  def authenticate\n    authenticate_or_request_with_http_token do |token, options|\n      # ...\n    end\n  end\nend\n```\n\nAll users running an affected release should either upgrade or use one of the workarounds immediately.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nThe following monkey patch placed in an initializer can be used to work around the issue:\n\n```ruby\nmodule ActionController::HttpAuthentication::Token\n  AUTHN_PAIR_DELIMITERS = /(?:,|;|\\t)/\nend\n```\n\nPatches\n-------\nTo aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.\n\n* 5-2-http-authentication-dos.patch - Patch for 5.2 series\n* 6-0-http-authentication-dos.patch - Patch for 6.0 series\n* 6-1-http-authentication-dos.patch - Patch for 6.1 series\n\nPlease note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.\n\nCredits\n-------\nThank you to https://hackerone.com/wonda_tea_coffee for reporting this issue!","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22904.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22904.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22904","reference_id":"","reference_type":"","scores":[{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.92007","published_at":"2026-04-12T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.92004","published_at":"2026-04-13T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.92","published_at":"2026-04-08T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.91987","published_at":"2026-04-07T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.91981","published_at":"2026-04-04T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.91974","published_at":"2026-04-02T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.91966","published_at":"2026-04-01T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22904"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/releases/tag/v5.2.4.6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v5.2.4.6"},{"reference_url":"https://github.com/rails/rails/releases/tag/v5.2.6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v5.2.6"},{"reference_url":"https://github.com/rails/rails/releases/tag/v6.0.3.7","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v6.0.3.7"},{"reference_url":"https://github.com/rails/rails/releases/tag/v6.1.3.2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v6.1.3.2"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22904.yml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22904.yml"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ"},{"reference_url":"https://hackerone.com/reports/1101125","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/1101125"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22904","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22904"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210805-0009","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210805-0009"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210805-0009/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210805-0009/"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1961379","reference_id":"1961379","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1961379"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214","reference_id":"988214","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214"},{"reference_url":"https://security.archlinux.org/AVG-1920","reference_id":"AVG-1920","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1920"},{"reference_url":"https://security.archlinux.org/AVG-1921","reference_id":"AVG-1921","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1921"},{"reference_url":"https://security.archlinux.org/AVG-2090","reference_id":"AVG-2090","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2090"},{"reference_url":"https://security.archlinux.org/AVG-2223","reference_id":"AVG-2223","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2223"},{"reference_url":"https://github.com/advisories/GHSA-7wjx-3g7j-8584","reference_id":"GHSA-7wjx-3g7j-8584","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7wjx-3g7j-8584"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4702","reference_id":"RHSA-2021:4702","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4702"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/250644?format=json","purl":"pkg:gem/rails@5.2.4.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-65tq-e5eb-eucj"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.4.6"},{"url":"http://public2.vulnerablecode.io/api/packages/251921?format=json","purl":"pkg:gem/rails@5.2.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-65tq-e5eb-eucj"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.6"},{"url":"http://public2.vulnerablecode.io/api/packages/250646?format=json","purl":"pkg:gem/rails@6.0.3.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxs-yghe-cyck"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-65tq-e5eb-eucj"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.3.7"},{"url":"http://public2.vulnerablecode.io/api/packages/251922?format=json","purl":"pkg:gem/rails@6.1.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxs-yghe-cyck"},{"vulnerability":"VCID-1x8k-t8mr-3fgp"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-65tq-e5eb-eucj"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-jwun-grgg-2uet"},{"vulnerability":"VCID-msda-xqbp-qfdd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.1.3.2"}],"aliases":["CVE-2021-22904","GHSA-7wjx-3g7j-8584"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wg3a-j2dp-ayh4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/7339?format=json","vulnerability_id":"VCID-z1jv-4ga2-7kd1","summary":"Possible Information Leak Vulnerability\nApplications that pass unverified user input to the `render` method in a controller may be vulnerable to an information leak vulnerability. Impacted code will look something like this: ``` def index; render params[:id]; end ``` Carefully crafted requests can cause the above code to render files from unexpected places like outside the application's view directory, and can possibly escalate this to a remote code execution attack.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-2097.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-2097.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-2097","reference_id":"","reference_type":"","scores":[{"value":"0.01912","scoring_system":"epss","scoring_elements":"0.83257","published_at":"2026-04-07T12:55:00Z"},{"value":"0.01912","scoring_system":"epss","scoring_elements":"0.83242","published_at":"2026-04-02T12:55:00Z"},{"value":"0.01912","scoring_system":"epss","scoring_elements":"0.83226","published_at":"2026-04-01T12:55:00Z"},{"value":"0.01912","scoring_system":"epss","scoring_elements":"0.83299","published_at":"2026-04-12T12:55:00Z"},{"value":"0.01912","scoring_system":"epss","scoring_elements":"0.83305","published_at":"2026-04-11T12:55:00Z"},{"value":"0.01912","scoring_system":"epss","scoring_elements":"0.8329","published_at":"2026-04-09T12:55:00Z"},{"value":"0.01912","scoring_system":"epss","scoring_elements":"0.83281","published_at":"2026-04-08T12:55:00Z"},{"value":"0.01912","scoring_system":"epss","scoring_elements":"0.83295","published_at":"2026-04-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-2097"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2097","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2097"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2098","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2098"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:M/Au:N/C:P/I:P/A:P"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/8a1d3ea617ffb0c8ae8467fa439bf63a3bfc4324","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/8a1d3ea617ffb0c8ae8467fa439bf63a3bfc4324"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-2097.yml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-2097.yml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2016-2097.yml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2016-2097.yml"},{"reference_url":"https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ","reference_id":"","reference_type":"","scores":[],"url":"https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4"},{"reference_url":"https://groups.google.com/forum/#!topic/ruby-security-ann/ddY6HgqB2z4","reference_id":"","reference_type":"","scores":[],"url":"https://groups.google.com/forum/#!topic/ruby-security-ann/ddY6HgqB2z4"},{"reference_url":"https://web.archive.org/web/20160322002234/http://www.securitytracker.com/id/1035122","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20160322002234/http://www.securitytracker.com/id/1035122"},{"reference_url":"https://web.archive.org/web/20200228015320/http://www.securityfocus.com/bid/83726","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200228015320/http://www.securityfocus.com/bid/83726"},{"reference_url":"https://web.archive.org/web/20201221115217/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20201221115217/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ"},{"reference_url":"http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released"},{"reference_url":"http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/","reference_id":"","reference_type":"","scores":[],"url":"http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"},{"reference_url":"http://www.debian.org/security/2016/dsa-3509","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2016/dsa-3509"},{"reference_url":"http://www.securityfocus.com/bid/83726","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/83726"},{"reference_url":"http://www.securitytracker.com/id/1035122","reference_id":"","reference_type":"","scores":[],"url":"http://www.securitytracker.com/id/1035122"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1310043","reference_id":"1310043","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1310043"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.14.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.14.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.14.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-2097","reference_id":"CVE-2016-2097","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:N/C:P/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-2097"},{"reference_url":"https://github.com/advisories/GHSA-vx9j-46rh-fqr8","reference_id":"GHSA-vx9j-46rh-fqr8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vx9j-46rh-fqr8"},{"reference_url":"https://access.redhat.com/errata/RHSA-2016:0454","reference_id":"RHSA-2016:0454","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2016:0454"},{"reference_url":"https://access.redhat.com/errata/RHSA-2016:0455","reference_id":"RHSA-2016:0455","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2016:0455"},{"reference_url":"https://access.redhat.com/errata/RHSA-2016:0456","reference_id":"RHSA-2016:0456","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2016:0456"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/21991?format=json","purl":"pkg:gem/rails@3.2.22.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2mcx-b9k2-83bh"},{"vulnerability":"VCID-3wtf-uu89-2qe5"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-877d-u9ag-qqdr"},{"vulnerability":"VCID-895a-ydc5-zfg6"},{"vulnerability":"VCID-8dad-dvat-1fg4"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-c8b5-d83n-nuhw"},{"vulnerability":"VCID-es1t-7196-4kbb"},{"vulnerability":"VCID-g5q6-7uav-sqh1"},{"vulnerability":"VCID-gsx2-9sc2-3fbr"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-t684-yp58-hkg8"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@3.2.22.2"},{"url":"http://public2.vulnerablecode.io/api/packages/21992?format=json","purl":"pkg:gem/rails@4.1.14.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2mcx-b9k2-83bh"},{"vulnerability":"VCID-3wtf-uu89-2qe5"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-877d-u9ag-qqdr"},{"vulnerability":"VCID-895a-ydc5-zfg6"},{"vulnerability":"VCID-8dad-dvat-1fg4"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-c8b5-d83n-nuhw"},{"vulnerability":"VCID-es1t-7196-4kbb"},{"vulnerability":"VCID-g5q6-7uav-sqh1"},{"vulnerability":"VCID-gsx2-9sc2-3fbr"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-s5ah-tf63-a7cw"},{"vulnerability":"VCID-t684-yp58-hkg8"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@4.1.14.2"}],"aliases":["CVE-2016-2097","GHSA-vx9j-46rh-fqr8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z1jv-4ga2-7kd1"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/6712?format=json","vulnerability_id":"VCID-rps2-k24p-9qgq","summary":"Translate helper method which may allow an attacker to insert arbitrary code into a page\nThe helper method for i18n translations has a convention whereby translations strings with a name ending in 'html' are considered HTML safe. There is also a mechanism for interpolation. It has been discovered that these 'html' strings allow arbitrary values to be contained in the interpolated input, and these values are not escaped.","references":[{"reference_url":"http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5?pli=1","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5?pli=1"},{"reference_url":"http://groups.google.com/group/rubyonrails-security/msg/c65c24fbc4b6dd82?dmode=source&output=gplain","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://groups.google.com/group/rubyonrails-security/msg/c65c24fbc4b6dd82?dmode=source&output=gplain"},{"reference_url":"http://openwall.com/lists/oss-security/2011/11/18/8","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://openwall.com/lists/oss-security/2011/11/18/8"},{"reference_url":"http://osvdb.org/77199","reference_id":"","reference_type":"","scores":[],"url":"http://osvdb.org/77199"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-4319.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-4319.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2011-4319","reference_id":"","reference_type":"","scores":[{"value":"0.00607","scoring_system":"epss","scoring_elements":"0.69705","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00607","scoring_system":"epss","scoring_elements":"0.69684","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00607","scoring_system":"epss","scoring_elements":"0.69666","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00607","scoring_system":"epss","scoring_elements":"0.69615","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00607","scoring_system":"epss","scoring_elements":"0.69636","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00607","scoring_system":"epss","scoring_elements":"0.69607","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00607","scoring_system":"epss","scoring_elements":"0.69677","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00607","scoring_system":"epss","scoring_elements":"0.6969","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00607","scoring_system":"epss","scoring_elements":"0.69621","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2011-4319"},{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/71364","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/71364"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/2d5b105d4bcb652550dda8b5613376d1b8beb70c","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/2d5b105d4bcb652550dda8b5613376d1b8beb70c"},{"reference_url":"https://github.com/rails/rails/commit/ba2d85012088fd0db0fab98b2e512c77c83cbade","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/ba2d85012088fd0db0fab98b2e512c77c83cbade"},{"reference_url":"https://github.com/rails/rails/commit/ba2d85012088fd0db0fab98b2e512c77c83cbade#diff-79e8a3e6d1d2808c4f93f63b3928a5a1","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/rails/rails/commit/ba2d85012088fd0db0fab98b2e512c77c83cbade#diff-79e8a3e6d1d2808c4f93f63b3928a5a1"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-4319.yml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-4319.yml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/OSVDB-77199.yml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/OSVDB-77199.yml"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/K2HXD7c8fMU","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/K2HXD7c8fMU"},{"reference_url":"https://web.archive.org/web/20200228155840/http://www.securityfocus.com/bid/50722","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200228155840/http://www.securityfocus.com/bid/50722"},{"reference_url":"https://web.archive.org/web/20210307005941/http://www.securitytracker.com/id?1026342","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20210307005941/http://www.securitytracker.com/id?1026342"},{"reference_url":"http://weblog.rubyonrails.org/2011/11/18/rails-3-0-11-has-been-released","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2011/11/18/rails-3-0-11-has-been-released"},{"reference_url":"http://weblog.rubyonrails.org/2011/11/18/rails-3-1-2-has-been-released","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2011/11/18/rails-3-1-2-has-been-released"},{"reference_url":"http://www.securityfocus.com/bid/50722","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/50722"},{"reference_url":"http://www.securitytracker.com/id?1026342","reference_id":"","reference_type":"","scores":[],"url":"http://www.securitytracker.com/id?1026342"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=755004","reference_id":"755004","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=755004"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2011-4319","reference_id":"CVE-2011-4319","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2011-4319"},{"reference_url":"https://github.com/advisories/GHSA-xxr8-833v-c7wc","reference_id":"GHSA-xxr8-833v-c7wc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xxr8-833v-c7wc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/25335?format=json","purl":"pkg:gem/rails@3.0.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2mcx-b9k2-83bh"},{"vulnerability":"VCID-35rt-t6e1-pfa6"},{"vulnerability":"VCID-3wtf-uu89-2qe5"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-877d-u9ag-qqdr"},{"vulnerability":"VCID-895a-ydc5-zfg6"},{"vulnerability":"VCID-8dad-dvat-1fg4"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-c8b5-d83n-nuhw"},{"vulnerability":"VCID-es1t-7196-4kbb"},{"vulnerability":"VCID-g5q6-7uav-sqh1"},{"vulnerability":"VCID-gsx2-9sc2-3fbr"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-mep3-6sub-ykdk"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-pmrb-t3bm-zkb6"},{"vulnerability":"VCID-t684-yp58-hkg8"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"},{"vulnerability":"VCID-z1jv-4ga2-7kd1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@3.0.11"},{"url":"http://public2.vulnerablecode.io/api/packages/25337?format=json","purl":"pkg:gem/rails@3.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2mcx-b9k2-83bh"},{"vulnerability":"VCID-35rt-t6e1-pfa6"},{"vulnerability":"VCID-3wtf-uu89-2qe5"},{"vulnerability":"VCID-63gy-6njy-kbd8"},{"vulnerability":"VCID-877d-u9ag-qqdr"},{"vulnerability":"VCID-895a-ydc5-zfg6"},{"vulnerability":"VCID-8dad-dvat-1fg4"},{"vulnerability":"VCID-a6sp-18av-wya6"},{"vulnerability":"VCID-c8b5-d83n-nuhw"},{"vulnerability":"VCID-es1t-7196-4kbb"},{"vulnerability":"VCID-g5q6-7uav-sqh1"},{"vulnerability":"VCID-gsx2-9sc2-3fbr"},{"vulnerability":"VCID-hppf-a715-r7b2"},{"vulnerability":"VCID-mep3-6sub-ykdk"},{"vulnerability":"VCID-mnkw-23eu-bkgc"},{"vulnerability":"VCID-pmrb-t3bm-zkb6"},{"vulnerability":"VCID-t684-yp58-hkg8"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"},{"vulnerability":"VCID-z1jv-4ga2-7kd1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@3.1.2"}],"aliases":["CVE-2011-4319","GHSA-xxr8-833v-c7wc","OSV-77199"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rps2-k24p-9qgq"}],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@3.0.11"}