{"url":"http://public2.vulnerablecode.io/api/packages/51739?format=json","purl":"pkg:gem/actionpack@4.1.1","type":"gem","namespace":"","name":"actionpack","version":"4.1.1","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"4.1.7","latest_non_vulnerable_version":"7.1.3.1","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37681?format=json","vulnerability_id":"VCID-5swj-xwsw-rkac","summary":"Directory Traversal Vulnerability With Certain Route Configurations\nThe implicit render functionality allows controllers to render a template, even if there is no explicit action with the corresponding name. This module does not perform adequate input sanitization which could allow an attacker to use a specially crafted request to retrieve arbitrary files from the RoR application server.","references":[{"reference_url":"http://osvdb.org/show/osvdb/106704","reference_id":"","reference_type":"","scores":[],"url":"http://osvdb.org/show/osvdb/106704"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:0510","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2014:0510"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:0816","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2014:0816"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:1863","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2014:1863"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1095105","reference_id":"","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1095105"},{"reference_url":"https://groups.google.com/forum/message/raw?msg=rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ","reference_id":"","reference_type":"","scores":[],"url":"https://groups.google.com/forum/message/raw?msg=rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/NkKc7vTW70o","reference_id":"","reference_type":"","scores":[],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/NkKc7vTW70o"},{"reference_url":"https://groups.google.com/forum/#!topic/ruby-security-ann/PyJo7_m-Ehk","reference_id":"","reference_type":"","scores":[],"url":"https://groups.google.com/forum/#!topic/ruby-security-ann/PyJo7_m-Ehk"},{"reference_url":"https://web.archive.org/web/20140518192004/http://www.securityfocus.com/bid/67244","reference_id":"","reference_type":"","scores":[],"url":"https://web.archive.org/web/20140518192004/http://www.securityfocus.com/bid/67244"},{"reference_url":"https://web.archive.org/web/20150319054505/http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf","reference_id":"","reference_type":"","scores":[],"url":"https://web.archive.org/web/20150319054505/http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf"},{"reference_url":"https://web.archive.org/web/20210411041816/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ","reference_id":"","reference_type":"","scores":[],"url":"https://web.archive.org/web/20210411041816/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-0130","reference_id":"","reference_type":"","scores":[],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-0130"},{"reference_url":"https://access.redhat.com/security/cve/CVE-2014-0130","reference_id":"CVE-2014-0130","reference_type":"","scores":[],"url":"https://access.redhat.com/security/cve/CVE-2014-0130"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-0130","reference_id":"CVE-2014-0130","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-0130"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-0130.yml","reference_id":"CVE-2014-0130.YML","reference_type":"","scores":[],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-0130.yml"},{"reference_url":"https://github.com/advisories/GHSA-6x85-j5j2-27jx","reference_id":"GHSA-6x85-j5j2-27jx","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-6x85-j5j2-27jx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54580?format=json","purl":"pkg:gem/actionpack@3.2.18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.18"},{"url":"http://public2.vulnerablecode.io/api/packages/54581?format=json","purl":"pkg:gem/actionpack@4.0.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.0.5"},{"url":"http://public2.vulnerablecode.io/api/packages/51739?format=json","purl":"pkg:gem/actionpack@4.1.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.1.1"}],"aliases":["CVE-2014-0130","GHSA-6x85-j5j2-27jx"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5swj-xwsw-rkac"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37639?format=json","vulnerability_id":"VCID-vex8-56fk-gqdf","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nMultiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper.","references":[{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/tfp6gZCtzr4","reference_id":"","reference_type":"","scores":[],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/tfp6gZCtzr4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-0081","reference_id":"CVE-2014-0081","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-0081"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51735?format=json","purl":"pkg:gem/actionpack@3.2.17","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.17"},{"url":"http://public2.vulnerablecode.io/api/packages/51738?format=json","purl":"pkg:gem/actionpack@4.0.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.0.3"},{"url":"http://public2.vulnerablecode.io/api/packages/51739?format=json","purl":"pkg:gem/actionpack@4.1.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.1.1"}],"aliases":["CVE-2014-0081"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vex8-56fk-gqdf"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.1.1"}