{"url":"http://public2.vulnerablecode.io/api/packages/255030?format=json","purl":"pkg:gem/activeresource@3.1.0.rc5","type":"gem","namespace":"","name":"activeresource","version":"3.1.0.rc5","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.1.1","latest_non_vulnerable_version":"5.1.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51601?format=json","vulnerability_id":"VCID-8ucb-ajnh-fqb8","summary":"activeresource Gem for Ruby lib/active_resource/base.rb element_path Lack of Encoding\nactiveresource contains a lack of encoding flaw in the element_path function of\nlib/active_resource/base.rb.\n\nThere is an issue with the way Active Resource encodes data before querying the back end server.  This encoding mechanism can allow specially crafted requests to possibly access data that may not be expected.\n\nImpacted code will look something like this:\n\n```\nrequire 'activeresource'\n\nclass Test < ActiveResource::Base\n  self.site = 'http://127.0.0.1:3000'\nend\n\nTest.exists?(untrusted_user_input)\n```\n\nWhere untrusted user input is passed to an Active Resource model.  Specially crafted untrusted input can cause Active Resource to access data in an unexpected way and possibly leak information.\n\nWorkarounds\n-------------\n\nFor those that can't upgrade, the following monkey patch can be applied:\n\n```\nmodule ActiveResource\n class Base\n   class << self\n     def element_path(id, prefix_options = {}, query_options = nil)\n       check_prefix_options(prefix_options)\n\n       prefix_options, query_options = split_options(prefix_options) if query_options.nil?\n       \"#{prefix(prefix_options)}#{collection_name}/#{URI.encode_www_form_component(id.to_s)}#{format_extension}#{query_string(query_options)}\"\n     end\n   end\n end\nend\n```","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8151","reference_id":"","reference_type":"","scores":[{"value":"0.00286","scoring_system":"epss","scoring_elements":"0.52396","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00286","scoring_system":"epss","scoring_elements":"0.52336","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8151"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/activeresource","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/activeresource"},{"reference_url":"https://github.com/rails/activeresource/commit/0de18f7e96fa90bbf23b16ac11980bc2cb6a716e","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/activeresource/commit/0de18f7e96fa90bbf23b16ac11980bc2cb6a716e"},{"reference_url":"https://github.com/rails/rails/commit/0e969bdaf8ff2e3384350687aa0b583f94d6dfbc","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/0e969bdaf8ff2e3384350687aa0b583f94d6dfbc"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/pktoF4VmiM8","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/pktoF4VmiM8"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P7B7A4H22DZ522HLDS3JX3NX2CXIOZSR","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P7B7A4H22DZ522HLDS3JX3NX2CXIOZSR"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8151","reference_id":"CVE-2020-8151","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8151"},{"reference_url":"https://github.com/advisories/GHSA-46j2-xjgp-jrfm","reference_id":"GHSA-46j2-xjgp-jrfm","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-46j2-xjgp-jrfm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/77364?format=json","purl":"pkg:gem/activeresource@5.1.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/activeresource@5.1.1"}],"aliases":["CVE-2020-8151","GHSA-46j2-xjgp-jrfm"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8ucb-ajnh-fqb8"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/activeresource@3.1.0.rc5"}