{"url":"http://public2.vulnerablecode.io/api/packages/53435?format=json","purl":"pkg:gem/rails@1.1.6","type":"gem","namespace":"","name":"rails","version":"1.1.6","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"6.1.7.7","latest_non_vulnerable_version":"7.1.3.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5410?format=json","vulnerability_id":"VCID-1bxj-7h5q-jbdz","summary":"multiple issues","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22904","reference_id":"","reference_type":"","scores":[{"value":"0.03338","scoring_system":"epss","scoring_elements":"0.87509","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22904"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/releases/tag/v5.2.4.6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v5.2.4.6"},{"reference_url":"https://github.com/rails/rails/releases/tag/v5.2.6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v5.2.6"},{"reference_url":"https://github.com/rails/rails/releases/tag/v6.0.3.7","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v6.0.3.7"},{"reference_url":"https://github.com/rails/rails/releases/tag/v6.1.3.2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v6.1.3.2"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22904.yml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22904.yml"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ"},{"reference_url":"https://hackerone.com/reports/1101125","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/1101125"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22904","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22904"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210805-0009","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210805-0009"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210805-0009/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210805-0009/"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214","reference_id":"988214","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214"},{"reference_url":"https://security.archlinux.org/AVG-1920","reference_id":"AVG-1920","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1920"},{"reference_url":"https://security.archlinux.org/AVG-1921","reference_id":"AVG-1921","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1921"},{"reference_url":"https://security.archlinux.org/AVG-2090","reference_id":"AVG-2090","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2090"},{"reference_url":"https://security.archlinux.org/AVG-2223","reference_id":"AVG-2223","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2223"},{"reference_url":"https://github.com/advisories/GHSA-7wjx-3g7j-8584","reference_id":"GHSA-7wjx-3g7j-8584","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7wjx-3g7j-8584"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/419120?format=json","purl":"pkg:gem/rails@5.2.4.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1f8y-2bmg-qufg"},{"vulnerability":"VCID-9k6x-w193-euh4"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.4.6"},{"url":"http://public2.vulnerablecode.io/api/packages/419180?format=json","purl":"pkg:gem/rails@5.2.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1f8y-2bmg-qufg"},{"vulnerability":"VCID-9k6x-w193-euh4"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.6"},{"url":"http://public2.vulnerablecode.io/api/packages/419121?format=json","purl":"pkg:gem/rails@6.0.3.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1f8y-2bmg-qufg"},{"vulnerability":"VCID-9k6x-w193-euh4"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-nvse-2qzf-n7ba"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.3.7"},{"url":"http://public2.vulnerablecode.io/api/packages/419181?format=json","purl":"pkg:gem/rails@6.1.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1f8y-2bmg-qufg"},{"vulnerability":"VCID-9k6x-w193-euh4"},{"vulnerability":"VCID-eecu-e2ds-jbdc"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-nvse-2qzf-n7ba"},{"vulnerability":"VCID-sd3k-af7j-h7h4"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.1.3.2"}],"aliases":["CVE-2021-22904","GHSA-7wjx-3g7j-8584"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1bxj-7h5q-jbdz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/10465?format=json","vulnerability_id":"VCID-26je-urbt-8kee","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nMultiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html"},{"reference_url":"http://openwall.com/lists/oss-security/2014/02/18/8","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://openwall.com/lists/oss-security/2014/02/18/8"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2014-0215.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2014-0215.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2014-0306.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2014-0306.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-0081","reference_id":"","reference_type":"","scores":[{"value":"0.00885","scoring_system":"epss","scoring_elements":"0.75774","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-0081"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0081","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0081"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0082","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0082"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0130","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0130"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/08d0a11a3f62718d601d39e617c834759cf59bbb","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/08d0a11a3f62718d601d39e617c834759cf59bbb"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/tfp6gZCtzr4","reference_id":"","reference_type":"","scores":[],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/tfp6gZCtzr4"},{"reference_url":"https://web.archive.org/web/20140911141416/http://www.securitytracker.com/id/1029782","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20140911141416/http://www.securitytracker.com/id/1029782"},{"reference_url":"https://web.archive.org/web/20170307202606/http://www.securityfocus.com/bid/65647","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20170307202606/http://www.securityfocus.com/bid/65647"},{"reference_url":"https://web.archive.org/web/20201207045136/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/tfp6gZCtzr4/j8LUHmu7fIEJ","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20201207045136/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/tfp6gZCtzr4/j8LUHmu7fIEJ"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-0081","reference_id":"CVE-2014-0081","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-0081"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-0081.yml","reference_id":"CVE-2014-0081.YML","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-0081.yml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2014-0081.yml","reference_id":"CVE-2014-0081.YML","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2014-0081.yml"},{"reference_url":"https://github.com/advisories/GHSA-m46p-ggm5-5j83","reference_id":"GHSA-m46p-ggm5-5j83","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m46p-ggm5-5j83"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/50640?format=json","purl":"pkg:gem/rails@3.2.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-26je-urbt-8kee"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-bkb7-2vvb-zfeq"},{"vulnerability":"VCID-dyc8-6n4n-cyap"},{"vulnerability":"VCID-fqcm-4af1-e3c1"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-j52w-azvw-1ycn"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-mvfq-sajq-bfb9"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-ns2u-nkbu-7fbp"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-uw5h-1fk2-abat"},{"vulnerability":"VCID-vm51-p4w4-n3du"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@3.2.17"},{"url":"http://public2.vulnerablecode.io/api/packages/50648?format=json","purl":"pkg:gem/rails@4.0.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-26je-urbt-8kee"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-apra-79g2-wkfn"},{"vulnerability":"VCID-bkb7-2vvb-zfeq"},{"vulnerability":"VCID-ct3m-wed2-6bhq"},{"vulnerability":"VCID-dyc8-6n4n-cyap"},{"vulnerability":"VCID-f4zb-2ajn-w3et"},{"vulnerability":"VCID-fqcm-4af1-e3c1"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-j52w-azvw-1ycn"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-mvfq-sajq-bfb9"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-ns2u-nkbu-7fbp"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-uw5h-1fk2-abat"},{"vulnerability":"VCID-vm51-p4w4-n3du"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@4.0.3"},{"url":"http://public2.vulnerablecode.io/api/packages/50649?format=json","purl":"pkg:gem/rails@4.1.0.beta2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-26je-urbt-8kee"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-apra-79g2-wkfn"},{"vulnerability":"VCID-bkb7-2vvb-zfeq"},{"vulnerability":"VCID-ct3m-wed2-6bhq"},{"vulnerability":"VCID-dyc8-6n4n-cyap"},{"vulnerability":"VCID-f4zb-2ajn-w3et"},{"vulnerability":"VCID-fqcm-4af1-e3c1"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-mvfq-sajq-bfb9"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-ns2u-nkbu-7fbp"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-uw5h-1fk2-abat"},{"vulnerability":"VCID-vm51-p4w4-n3du"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@4.1.0.beta2"},{"url":"http://public2.vulnerablecode.io/api/packages/89493?format=json","purl":"pkg:gem/rails@4.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-26je-urbt-8kee"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-apra-79g2-wkfn"},{"vulnerability":"VCID-bkb7-2vvb-zfeq"},{"vulnerability":"VCID-ct3m-wed2-6bhq"},{"vulnerability":"VCID-dyc8-6n4n-cyap"},{"vulnerability":"VCID-f4zb-2ajn-w3et"},{"vulnerability":"VCID-fqcm-4af1-e3c1"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-j52w-azvw-1ycn"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-mvfq-sajq-bfb9"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-ns2u-nkbu-7fbp"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-uw5h-1fk2-abat"},{"vulnerability":"VCID-vm51-p4w4-n3du"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@4.1.0"}],"aliases":["CVE-2014-0081","GHSA-m46p-ggm5-5j83","OSV-103439"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-26je-urbt-8kee"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/15585?format=json","vulnerability_id":"VCID-84x9-y43n-8uca","summary":"Cross site scripting in actionpack Rubygem\nA cross-site scripting vulnerability flaw was found in the `auto_link` function in Rails before version 3.0.6.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2011-1497","reference_id":"","reference_type":"","scores":[{"value":"0.00328","scoring_system":"epss","scoring_elements":"0.55943","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2011-1497"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/blob/38df020c95beca7e12f0188cb7e18f3c37789e20/actionpack/CHANGELOG","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/blob/38df020c95beca7e12f0188cb7e18f3c37789e20/actionpack/CHANGELOG"},{"reference_url":"https://github.com/rails/rails/commit/61ee3449674c591747db95f9b3472c5c3bd9e84d","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/61ee3449674c591747db95f9b3472c5c3bd9e84d"},{"reference_url":"https://github.com/rails/rails/commit/ab764ecbfea31a3b14323283287e2fc80955ace6","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/ab764ecbfea31a3b14323283287e2fc80955ace6"},{"reference_url":"https://www.openwall.com/lists/oss-security/2011/04/06/13","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.openwall.com/lists/oss-security/2011/04/06/13"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2011-1497","reference_id":"CVE-2011-1497","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2011-1497"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-1497.yml","reference_id":"CVE-2011-1497.YML","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-1497.yml"},{"reference_url":"https://github.com/advisories/GHSA-q58j-fmvf-9rq6","reference_id":"GHSA-q58j-fmvf-9rq6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q58j-fmvf-9rq6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60472?format=json","purl":"pkg:gem/rails@3.0.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-26je-urbt-8kee"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-bkb7-2vvb-zfeq"},{"vulnerability":"VCID-dyc8-6n4n-cyap"},{"vulnerability":"VCID-f8s8-epzh-3bhw"},{"vulnerability":"VCID-fqcm-4af1-e3c1"},{"vulnerability":"VCID-ghfd-u91m-dbdz"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-j52w-azvw-1ycn"},{"vulnerability":"VCID-kyj5-b8wz-pkgj"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-mvfq-sajq-bfb9"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-ns2u-nkbu-7fbp"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-tc9x-h24m-9ufe"},{"vulnerability":"VCID-uw5h-1fk2-abat"},{"vulnerability":"VCID-vm51-p4w4-n3du"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@3.0.6"}],"aliases":["CVE-2011-1497","GHSA-q58j-fmvf-9rq6"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-84x9-y43n-8uca"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/166954?format=json","vulnerability_id":"VCID-ajrj-qz9v-27d5","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8167","reference_id":"","reference_type":"","scores":[{"value":"0.00427","scoring_system":"epss","scoring_elements":"0.62697","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8167"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/x9DixQDG9a0","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/x9DixQDG9a0"},{"reference_url":"https://hackerone.com/reports/189878","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/189878"},{"reference_url":"https://www.debian.org/security/2020/dsa-4766","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2020/dsa-4766"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8167","reference_id":"CVE-2020-8167","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8167"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-8167.yml","reference_id":"CVE-2020-8167.YML","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-8167.yml"},{"reference_url":"https://github.com/advisories/GHSA-xq5j-gw7f-jgj8","reference_id":"GHSA-xq5j-gw7f-jgj8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xq5j-gw7f-jgj8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/417691?format=json","purl":"pkg:gem/rails@5.2.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-1f8y-2bmg-qufg"},{"vulnerability":"VCID-9k6x-w193-euh4"},{"vulnerability":"VCID-be3d-1x2j-qffu"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-w3hp-78sw-hfa4"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.4.3"},{"url":"http://public2.vulnerablecode.io/api/packages/417692?format=json","purl":"pkg:gem/rails@6.0.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-1f8y-2bmg-qufg"},{"vulnerability":"VCID-7yhn-w7nv-xqf7"},{"vulnerability":"VCID-8c6b-8z6x-2uen"},{"vulnerability":"VCID-9k6x-w193-euh4"},{"vulnerability":"VCID-be3d-1x2j-qffu"},{"vulnerability":"VCID-e4f9-zs85-4bgh"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-nvse-2qzf-n7ba"},{"vulnerability":"VCID-t7pe-vz5p-rfed"},{"vulnerability":"VCID-w3hp-78sw-hfa4"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.3.1"}],"aliases":["CVE-2020-8167","GHSA-xq5j-gw7f-jgj8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ajrj-qz9v-27d5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11815?format=json","vulnerability_id":"VCID-bkb7-2vvb-zfeq","summary":"Rails Denial of Service vulnerability\nUnspecified vulnerability in the \"dependency resolution mechanism\" in Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby code via a URL that is not properly handled in the routing code, which leads to a denial of service (application hang) or \"data loss,\" a different vulnerability than CVE-2006-4111.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2006-4112","reference_id":"","reference_type":"","scores":[{"value":"0.07371","scoring_system":"epss","scoring_elements":"0.91837","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2006-4112"},{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/28364","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/28364"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://web.archive.org/web/20200301174340/http://www.securityfocus.com/bid/19454","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200301174340/http://www.securityfocus.com/bid/19454"},{"reference_url":"https://web.archive.org/web/20200804225700/http://www.securityfocus.com/archive/1/442934/100/0/threaded","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200804225700/http://www.securityfocus.com/archive/1/442934/100/0/threaded"},{"reference_url":"https://web.archive.org/web/20200808083046/http://securitytracker.com/id?1016673","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200808083046/http://securitytracker.com/id?1016673"},{"reference_url":"http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure"},{"reference_url":"http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml"},{"reference_url":"http://www.kb.cert.org/vuls/id/699540","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.kb.cert.org/vuls/id/699540"},{"reference_url":"http://www.novell.com/linux/security/advisories/2006_21_sr.html","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.novell.com/linux/security/advisories/2006_21_sr.html"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=382255","reference_id":"382255","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=382255"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2006-4112","reference_id":"CVE-2006-4112","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2006-4112"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2006-4112.yml","reference_id":"CVE-2006-4112.YML","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2006-4112.yml"},{"reference_url":"https://github.com/advisories/GHSA-9wrq-xvmp-xjc8","reference_id":"GHSA-9wrq-xvmp-xjc8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9wrq-xvmp-xjc8"},{"reference_url":"https://security.gentoo.org/glsa/200608-20","reference_id":"GLSA-200608-20","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/200608-20"}],"fixed_packages":[],"aliases":["CVE-2006-4112","GHSA-9wrq-xvmp-xjc8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bkb7-2vvb-zfeq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11835?format=json","vulnerability_id":"VCID-c3hd-njh3-b3bg","summary":"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')\nMultiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.","references":[{"reference_url":"http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1","reference_id":"","reference_type":"","scores":[],"url":"http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1"},{"reference_url":"http://gist.github.com/8946","reference_id":"","reference_type":"","scores":[],"url":"http://gist.github.com/8946"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html"},{"reference_url":"http://rails.lighthouseapp.com/projects/8994/tickets/288","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rails.lighthouseapp.com/projects/8994/tickets/288"},{"reference_url":"http://rails.lighthouseapp.com/projects/8994/tickets/964","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rails.lighthouseapp.com/projects/8994/tickets/964"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2008-4094","reference_id":"","reference_type":"","scores":[{"value":"0.03119","scoring_system":"epss","scoring_elements":"0.87069","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2008-4094"},{"reference_url":"http://secunia.com/advisories/31875","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/31875"},{"reference_url":"http://secunia.com/advisories/31909","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/31909"},{"reference_url":"http://secunia.com/advisories/31910","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/31910"},{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/45109","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/45109"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/ef0ea782b1f5cf7b08e74ea3002a16c708f66645","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/ef0ea782b1f5cf7b08e74ea3002a16c708f66645"},{"reference_url":"https://web.archive.org/web/20080620000955/http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20080620000955/http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1"},{"reference_url":"https://web.archive.org/web/20080620201733/http://blog.innerewut.de/files/rails/activerecord-1.15.3.patch","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20080620201733/http://blog.innerewut.de/files/rails/activerecord-1.15.3.patch"},{"reference_url":"https://web.archive.org/web/20080620201744/http://blog.innerewut.de/files/rails/activerecord-2.0.2.patch","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20080620201744/http://blog.innerewut.de/files/rails/activerecord-2.0.2.patch"},{"reference_url":"https://web.archive.org/web/20081104151751/http://gist.github.com/8946","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20081104151751/http://gist.github.com/8946"},{"reference_url":"https://web.archive.org/web/20081113122736/http://secunia.com/advisories/31875","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20081113122736/http://secunia.com/advisories/31875"},{"reference_url":"https://web.archive.org/web/20081113122736/http://secunia.com/advisories/31875/","reference_id":"","reference_type":"","scores":[],"url":"https://web.archive.org/web/20081113122736/http://secunia.com/advisories/31875/"},{"reference_url":"https://web.archive.org/web/20081207211431/http://secunia.com/advisories/31909","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20081207211431/http://secunia.com/advisories/31909"},{"reference_url":"https://web.archive.org/web/20081207211436/http://secunia.com/advisories/31910","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20081207211436/http://secunia.com/advisories/31910"},{"reference_url":"https://web.archive.org/web/20091101000000*/http://www.vupen.com/english/advisories/2008/2562","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20091101000000*/http://www.vupen.com/english/advisories/2008/2562"},{"reference_url":"https://web.archive.org/web/20120120194518/http://www.securityfocus.com/bid/31176","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20120120194518/http://www.securityfocus.com/bid/31176"},{"reference_url":"https://web.archive.org/web/20201207112829/http://www.securitytracker.com/id?1020871","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20201207112829/http://www.securitytracker.com/id?1020871"},{"reference_url":"http://www.openwall.com/lists/oss-security/2008/09/13/2","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2008/09/13/2"},{"reference_url":"http://www.openwall.com/lists/oss-security/2008/09/16/1","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2008/09/16/1"},{"reference_url":"http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter"},{"reference_url":"http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/","reference_id":"","reference_type":"","scores":[],"url":"http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/"},{"reference_url":"http://www.securityfocus.com/bid/31176","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/31176"},{"reference_url":"http://www.securitytracker.com/id?1020871","reference_id":"","reference_type":"","scores":[],"url":"http://www.securitytracker.com/id?1020871"},{"reference_url":"http://www.vupen.com/english/advisories/2008/2562","reference_id":"","reference_type":"","scores":[],"url":"http://www.vupen.com/english/advisories/2008/2562"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500791","reference_id":"500791","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500791"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2008-4094","reference_id":"CVE-2008-4094","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2008-4094"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2008-4094.yml","reference_id":"CVE-2008-4094.YML","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2008-4094.yml"},{"reference_url":"https://github.com/advisories/GHSA-xf96-32q2-9rw2","reference_id":"GHSA-xf96-32q2-9rw2","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xf96-32q2-9rw2"},{"reference_url":"https://security.gentoo.org/glsa/200912-02","reference_id":"GLSA-200912-02","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/200912-02"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53530?format=json","purl":"pkg:gem/rails@2.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-26je-urbt-8kee"},{"vulnerability":"VCID-6cjf-b88j-n3bw"},{"vulnerability":"VCID-84x9-y43n-8uca"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-bkb7-2vvb-zfeq"},{"vulnerability":"VCID-d7rs-7c74-xkex"},{"vulnerability":"VCID-dyc8-6n4n-cyap"},{"vulnerability":"VCID-dz1r-ae9g-57en"},{"vulnerability":"VCID-fm16-z8wy-6fgz"},{"vulnerability":"VCID-fqcm-4af1-e3c1"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-hud5-xxhh-u3ex"},{"vulnerability":"VCID-j52w-azvw-1ycn"},{"vulnerability":"VCID-kyj5-b8wz-pkgj"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-mvfq-sajq-bfb9"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-ns2u-nkbu-7fbp"},{"vulnerability":"VCID-sevc-c95q-tyg8"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-uw5h-1fk2-abat"},{"vulnerability":"VCID-vm51-p4w4-n3du"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@2.1.1"}],"aliases":["CVE-2008-4094","GHSA-xf96-32q2-9rw2"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c3hd-njh3-b3bg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11873?format=json","vulnerability_id":"VCID-d7rs-7c74-xkex","summary":"Improper Authentication\nThe example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password.","references":[{"reference_url":"http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html"},{"reference_url":"http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-2422","reference_id":"","reference_type":"","scores":[{"value":"0.00403","scoring_system":"epss","scoring_elements":"0.61174","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-2422"},{"reference_url":"http://secunia.com/advisories/35702","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/35702"},{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/51528","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/51528"},{"reference_url":"http://support.apple.com/kb/HT4077","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://support.apple.com/kb/HT4077"},{"reference_url":"https://web.archive.org/web/20090711160153/http://secunia.com/advisories/35702","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20090711160153/http://secunia.com/advisories/35702"},{"reference_url":"https://web.archive.org/web/20200229192617/http://www.securityfocus.com/bid/35579","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200229192617/http://www.securityfocus.com/bid/35579"},{"reference_url":"http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":""},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest"},{"reference_url":"http://www.securityfocus.com/bid/35579","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/35579"},{"reference_url":"http://www.vupen.com/english/advisories/2009/1802","reference_id":"","reference_type":"","scores":[],"url":"http://www.vupen.com/english/advisories/2009/1802"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=535896","reference_id":"535896","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=535896"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2009-2422","reference_id":"CVE-2009-2422","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2009-2422"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2009-2422.yml","reference_id":"CVE-2009-2422.YML","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2009-2422.yml"},{"reference_url":"https://github.com/advisories/GHSA-rxq3-gm4p-5fj4","reference_id":"GHSA-rxq3-gm4p-5fj4","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rxq3-gm4p-5fj4"},{"reference_url":"https://security.gentoo.org/glsa/200912-02","reference_id":"GLSA-200912-02","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/200912-02"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53568?format=json","purl":"pkg:gem/rails@2.3.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-26je-urbt-8kee"},{"vulnerability":"VCID-6cjf-b88j-n3bw"},{"vulnerability":"VCID-84x9-y43n-8uca"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-bkb7-2vvb-zfeq"},{"vulnerability":"VCID-dyc8-6n4n-cyap"},{"vulnerability":"VCID-dz1r-ae9g-57en"},{"vulnerability":"VCID-fm16-z8wy-6fgz"},{"vulnerability":"VCID-fqcm-4af1-e3c1"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-hud5-xxhh-u3ex"},{"vulnerability":"VCID-j52w-azvw-1ycn"},{"vulnerability":"VCID-kyj5-b8wz-pkgj"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-mvfq-sajq-bfb9"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-ns2u-nkbu-7fbp"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-uw5h-1fk2-abat"},{"vulnerability":"VCID-vm51-p4w4-n3du"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@2.3.3"}],"aliases":["CVE-2009-2422","GHSA-rxq3-gm4p-5fj4"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d7rs-7c74-xkex"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/166950?format=json","vulnerability_id":"VCID-dyc8-6n4n-cyap","summary":"","references":[{"reference_url":"http://packetstormsecurity.com/files/158604/Ruby-On-Rails-5.0.1-Remote-Code-Execution.html","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/158604/Ruby-On-Rails-5.0.1-Remote-Code-Execution.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8163","reference_id":"","reference_type":"","scores":[{"value":"0.91071","scoring_system":"epss","scoring_elements":"0.99658","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8163"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/hWuKcHyoKh0","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":""},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/hWuKcHyoKh0"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/hWuKcHyoKh0","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/hWuKcHyoKh0"},{"reference_url":"https://hackerone.com/reports/304805","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/304805"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/ruby/webapps/48716.rb","reference_id":"CVE-2020-8163","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/ruby/webapps/48716.rb"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8163","reference_id":"CVE-2020-8163","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8163"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-8163.yml","reference_id":"CVE-2020-8163.YML","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-8163.yml"},{"reference_url":"https://github.com/advisories/GHSA-cr3x-7m39-c6jq","reference_id":"GHSA-cr3x-7m39-c6jq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cr3x-7m39-c6jq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51462?format=json","purl":"pkg:gem/rails@5.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-1f8y-2bmg-qufg"},{"vulnerability":"VCID-26je-urbt-8kee"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-bkb7-2vvb-zfeq"},{"vulnerability":"VCID-fqcm-4af1-e3c1"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-mvfq-sajq-bfb9"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-ns2u-nkbu-7fbp"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-uw5h-1fk2-abat"},{"vulnerability":"VCID-w3hp-78sw-hfa4"},{"vulnerability":"VCID-wz47-y64c-j7d2"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.0.1"}],"aliases":["CVE-2020-8163","GHSA-cr3x-7m39-c6jq"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dyc8-6n4n-cyap"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11809?format=json","vulnerability_id":"VCID-fqcm-4af1-e3c1","summary":"Ruby on Rails vulnerable to code injection\nRuby on Rails before 1.1.5 allows remote attackers to execute Ruby code with \"severe\" or \"serious\" impact via a File Upload request with an HTTP header that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112.","references":[{"reference_url":"http://blog.koehntopp.de/archives/1367-Ruby-On-Rails-Mandatory-Mystery-Patch.html","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://blog.koehntopp.de/archives/1367-Ruby-On-Rails-Mandatory-Mystery-Patch.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2006-4111","reference_id":"","reference_type":"","scores":[{"value":"0.03984","scoring_system":"epss","scoring_elements":"0.88603","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2006-4111"},{"reference_url":"https://github.com/presidentbeef/rails-security-history/blob/master/vulnerabilities.md","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/presidentbeef/rails-security-history/blob/master/vulnerabilities.md"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://web.archive.org/web/20200301174340/http://www.securityfocus.com/bid/19454","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200301174340/http://www.securityfocus.com/bid/19454"},{"reference_url":"https://web.archive.org/web/20200808083046/http://securitytracker.com/id?1016673","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200808083046/http://securitytracker.com/id?1016673"},{"reference_url":"http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits"},{"reference_url":"http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml"},{"reference_url":"http://www.novell.com/linux/security/advisories/2006_21_sr.html","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.novell.com/linux/security/advisories/2006_21_sr.html"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=382255","reference_id":"382255","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=382255"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2006-4111","reference_id":"CVE-2006-4111","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2006-4111"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2006-4111.yml","reference_id":"CVE-2006-4111.YML","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2006-4111.yml"},{"reference_url":"https://github.com/advisories/GHSA-rvpq-5xqx-pfpp","reference_id":"GHSA-rvpq-5xqx-pfpp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rvpq-5xqx-pfpp"},{"reference_url":"https://security.gentoo.org/glsa/200608-20","reference_id":"GLSA-200608-20","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/200608-20"}],"fixed_packages":[],"aliases":["CVE-2006-4111","GHSA-rvpq-5xqx-pfpp"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fqcm-4af1-e3c1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11832?format=json","vulnerability_id":"VCID-fqw6-tq5j-2udc","summary":"Moderate severity vulnerability that affects rails\nRails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file.","references":[{"reference_url":"http://bugs.gentoo.org/show_bug.cgi?id=195315","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://bugs.gentoo.org/show_bug.cgi?id=195315"},{"reference_url":"http://docs.info.apple.com/article.html?artnum=307179","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://docs.info.apple.com/article.html?artnum=307179"},{"reference_url":"http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2007-5379","reference_id":"","reference_type":"","scores":[{"value":"0.10596","scoring_system":"epss","scoring_elements":"0.93407","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2007-5379"},{"reference_url":"http://security.gentoo.org/glsa/glsa-200711-17.xml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://security.gentoo.org/glsa/glsa-200711-17.xml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release"},{"reference_url":"https://web.archive.org/web/20090602000500/http://dev.rubyonrails.org/ticket/8453","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20090602000500/http://dev.rubyonrails.org/ticket/8453"},{"reference_url":"http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release","reference_id":"","reference_type":"","scores":[],"url":"http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release"},{"reference_url":"http://www.us-cert.gov/cas/techalerts/TA07-352A.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.us-cert.gov/cas/techalerts/TA07-352A.html"},{"reference_url":"http://www.vupen.com/english/advisories/2007/3508","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.vupen.com/english/advisories/2007/3508"},{"reference_url":"http://www.vupen.com/english/advisories/2007/4238","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.vupen.com/english/advisories/2007/4238"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2007-5379","reference_id":"CVE-2007-5379","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2007-5379"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2007-5379.yml","reference_id":"CVE-2007-5379.YML","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2007-5379.yml"},{"reference_url":"https://github.com/advisories/GHSA-fjfg-q662-gm6j","reference_id":"GHSA-fjfg-q662-gm6j","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fjfg-q662-gm6j"},{"reference_url":"https://security.gentoo.org/glsa/200711-17","reference_id":"GLSA-200711-17","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/200711-17"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53472?format=json","purl":"pkg:gem/rails@1.2.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-26je-urbt-8kee"},{"vulnerability":"VCID-84x9-y43n-8uca"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-bkb7-2vvb-zfeq"},{"vulnerability":"VCID-c3hd-njh3-b3bg"},{"vulnerability":"VCID-d7rs-7c74-xkex"},{"vulnerability":"VCID-dyc8-6n4n-cyap"},{"vulnerability":"VCID-fqcm-4af1-e3c1"},{"vulnerability":"VCID-fqw6-tq5j-2udc"},{"vulnerability":"VCID-gq64-ywx7-jyfq"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-hud5-xxhh-u3ex"},{"vulnerability":"VCID-j52w-azvw-1ycn"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-mvfq-sajq-bfb9"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-ns2u-nkbu-7fbp"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-sx3y-xa4f-gkcf"},{"vulnerability":"VCID-uw5h-1fk2-abat"},{"vulnerability":"VCID-vm51-p4w4-n3du"},{"vulnerability":"VCID-wj98-mgjt-6uay"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@1.2.4"},{"url":"http://public2.vulnerablecode.io/api/packages/53567?format=json","purl":"pkg:gem/rails@1.2.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-26je-urbt-8kee"},{"vulnerability":"VCID-84x9-y43n-8uca"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-bkb7-2vvb-zfeq"},{"vulnerability":"VCID-c3hd-njh3-b3bg"},{"vulnerability":"VCID-d7rs-7c74-xkex"},{"vulnerability":"VCID-dyc8-6n4n-cyap"},{"vulnerability":"VCID-fqcm-4af1-e3c1"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-hud5-xxhh-u3ex"},{"vulnerability":"VCID-j52w-azvw-1ycn"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-mvfq-sajq-bfb9"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-ns2u-nkbu-7fbp"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-sx3y-xa4f-gkcf"},{"vulnerability":"VCID-uw5h-1fk2-abat"},{"vulnerability":"VCID-vm51-p4w4-n3du"},{"vulnerability":"VCID-wj98-mgjt-6uay"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@1.2.5"}],"aliases":["CVE-2007-5379","GHSA-fjfg-q662-gm6j","OSV-40717"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fqw6-tq5j-2udc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11872?format=json","vulnerability_id":"VCID-gq64-ywx7-jyfq","summary":"Moderate severity vulnerability that affects rails\nCross-site scripting (XSS) vulnerability in the to_json (ActiveRecord::Base#to_json) function in Ruby on Rails before edge 9606 allows remote attackers to inject arbitrary web script via the input values.","references":[{"reference_url":"http://bugs.gentoo.org/show_bug.cgi?id=195315","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://bugs.gentoo.org/show_bug.cgi?id=195315"},{"reference_url":"http://dev.rubyonrails.org/ticket/8371","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://dev.rubyonrails.org/ticket/8371"},{"reference_url":"http://osvdb.org/36378","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://osvdb.org/36378"},{"reference_url":"http://pastie.caboo.se/65550.txt","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://pastie.caboo.se/65550.txt"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2007-3227","reference_id":"","reference_type":"","scores":[{"value":"0.13946","scoring_system":"epss","scoring_elements":"0.94441","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2007-3227"},{"reference_url":"http://secunia.com/advisories/25699","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://secunia.com/advisories/25699"},{"reference_url":"http://secunia.com/advisories/27657","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://secunia.com/advisories/27657"},{"reference_url":"http://secunia.com/advisories/27756","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://secunia.com/advisories/27756"},{"reference_url":"http://security.gentoo.org/glsa/glsa-200711-17.xml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://security.gentoo.org/glsa/glsa-200711-17.xml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"http://weblog.rubyonrails.org/2007/10/12/rails-1-2-5-maintenance-release","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2007/10/12/rails-1-2-5-maintenance-release"},{"reference_url":"http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release"},{"reference_url":"http://www.novell.com/linux/security/advisories/2007_24_sr.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.novell.com/linux/security/advisories/2007_24_sr.html"},{"reference_url":"http://www.securityfocus.com/bid/24161","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/24161"},{"reference_url":"http://www.vupen.com/english/advisories/2007/2216","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.vupen.com/english/advisories/2007/2216"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429177","reference_id":"429177","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429177"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2007-3227","reference_id":"CVE-2007-3227","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2007-3227"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/remote/30089.txt","reference_id":"CVE-2007-3227;OSVDB-36378","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/remote/30089.txt"},{"reference_url":"https://www.securityfocus.com/bid/24161/info","reference_id":"CVE-2007-3227;OSVDB-36378","reference_type":"exploit","scores":[],"url":"https://www.securityfocus.com/bid/24161/info"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2007-3227.yml","reference_id":"CVE-2007-3227.YML","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2007-3227.yml"},{"reference_url":"https://github.com/advisories/GHSA-gm25-fpmr-43fj","reference_id":"GHSA-gm25-fpmr-43fj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gm25-fpmr-43fj"},{"reference_url":"https://security.gentoo.org/glsa/200711-17","reference_id":"GLSA-200711-17","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/200711-17"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53567?format=json","purl":"pkg:gem/rails@1.2.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-26je-urbt-8kee"},{"vulnerability":"VCID-84x9-y43n-8uca"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-bkb7-2vvb-zfeq"},{"vulnerability":"VCID-c3hd-njh3-b3bg"},{"vulnerability":"VCID-d7rs-7c74-xkex"},{"vulnerability":"VCID-dyc8-6n4n-cyap"},{"vulnerability":"VCID-fqcm-4af1-e3c1"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-hud5-xxhh-u3ex"},{"vulnerability":"VCID-j52w-azvw-1ycn"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-mvfq-sajq-bfb9"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-ns2u-nkbu-7fbp"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-sx3y-xa4f-gkcf"},{"vulnerability":"VCID-uw5h-1fk2-abat"},{"vulnerability":"VCID-vm51-p4w4-n3du"},{"vulnerability":"VCID-wj98-mgjt-6uay"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@1.2.5"}],"aliases":["CVE-2007-3227","GHSA-gm25-fpmr-43fj","OSV-36378"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gq64-ywx7-jyfq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/166953?format=json","vulnerability_id":"VCID-hbym-agkh-fqdj","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8166","reference_id":"","reference_type":"","scores":[{"value":"0.00443","scoring_system":"epss","scoring_elements":"0.636","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8166"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":""},{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T15:45:41Z/"}],"url":"https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw"},{"reference_url":"https://hackerone.com/reports/732415","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T15:45:41Z/"}],"url":"https://hackerone.com/reports/732415"},{"reference_url":"https://www.debian.org/security/2020/dsa-4766","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T15:45:41Z/"}],"url":"https://www.debian.org/security/2020/dsa-4766"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8166","reference_id":"CVE-2020-8166","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8166"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8166.yml","reference_id":"CVE-2020-8166.YML","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8166.yml"},{"reference_url":"https://github.com/advisories/GHSA-jp5v-5gx4-jmj9","reference_id":"GHSA-jp5v-5gx4-jmj9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jp5v-5gx4-jmj9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/417691?format=json","purl":"pkg:gem/rails@5.2.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-1f8y-2bmg-qufg"},{"vulnerability":"VCID-9k6x-w193-euh4"},{"vulnerability":"VCID-be3d-1x2j-qffu"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-w3hp-78sw-hfa4"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.4.3"},{"url":"http://public2.vulnerablecode.io/api/packages/417692?format=json","purl":"pkg:gem/rails@6.0.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-1f8y-2bmg-qufg"},{"vulnerability":"VCID-7yhn-w7nv-xqf7"},{"vulnerability":"VCID-8c6b-8z6x-2uen"},{"vulnerability":"VCID-9k6x-w193-euh4"},{"vulnerability":"VCID-be3d-1x2j-qffu"},{"vulnerability":"VCID-e4f9-zs85-4bgh"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-nvse-2qzf-n7ba"},{"vulnerability":"VCID-t7pe-vz5p-rfed"},{"vulnerability":"VCID-w3hp-78sw-hfa4"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.3.1"}],"aliases":["CVE-2020-8166","GHSA-jp5v-5gx4-jmj9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hbym-agkh-fqdj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/166949?format=json","vulnerability_id":"VCID-hqc8-8cu1-rfgm","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8162","reference_id":"","reference_type":"","scores":[{"value":"0.01549","scoring_system":"epss","scoring_elements":"0.81716","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8162"},{"reference_url":"https://github.com/aws/aws-sdk-ruby","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/aws/aws-sdk-ruby"},{"reference_url":"https://github.com/aws/aws-sdk-ruby/issues/2098","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/aws/aws-sdk-ruby/issues/2098"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3946mreQ","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3946mreQ"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/PjU3946mreQ","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/PjU3946mreQ"},{"reference_url":"https://hackerone.com/reports/789579","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/789579"},{"reference_url":"https://www.debian.org/security/2020/dsa-4766","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2020/dsa-4766"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8162","reference_id":"CVE-2020-8162","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8162"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2020-8162.yml","reference_id":"CVE-2020-8162.YML","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2020-8162.yml"},{"reference_url":"https://github.com/advisories/GHSA-m42x-37p3-fv5w","reference_id":"GHSA-m42x-37p3-fv5w","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m42x-37p3-fv5w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/417695?format=json","purl":"pkg:gem/rails@5.2.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-1f8y-2bmg-qufg"},{"vulnerability":"VCID-9k6x-w193-euh4"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-be3d-1x2j-qffu"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-w3hp-78sw-hfa4"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.4.2"},{"url":"http://public2.vulnerablecode.io/api/packages/417692?format=json","purl":"pkg:gem/rails@6.0.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-1f8y-2bmg-qufg"},{"vulnerability":"VCID-7yhn-w7nv-xqf7"},{"vulnerability":"VCID-8c6b-8z6x-2uen"},{"vulnerability":"VCID-9k6x-w193-euh4"},{"vulnerability":"VCID-be3d-1x2j-qffu"},{"vulnerability":"VCID-e4f9-zs85-4bgh"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-nvse-2qzf-n7ba"},{"vulnerability":"VCID-t7pe-vz5p-rfed"},{"vulnerability":"VCID-w3hp-78sw-hfa4"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.3.1"}],"aliases":["CVE-2020-8162","GHSA-m42x-37p3-fv5w"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hqc8-8cu1-rfgm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11806?format=json","vulnerability_id":"VCID-hud5-xxhh-u3ex","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nMultiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value.","references":[{"reference_url":"http://groups.google.com/group/rubyonrails-security/msg/365b8a23b76a6b4a?dmode=source&output=gplain","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://groups.google.com/group/rubyonrails-security/msg/365b8a23b76a6b4a?dmode=source&output=gplain"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2011-0446","reference_id":"","reference_type":"","scores":[{"value":"0.0067","scoring_system":"epss","scoring_elements":"0.71687","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2011-0446"},{"reference_url":"http://secunia.com/advisories/43274","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/43274"},{"reference_url":"http://secunia.com/advisories/43666","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/43666"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/abe97736b8316f1b714cac56c115c0779aa73217","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/abe97736b8316f1b714cac56c115c0779aa73217"},{"reference_url":"https://github.com/rails/rails/commit/e3dd2107c57a8efaaea5d61cf8da65f7444760b2","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/e3dd2107c57a8efaaea5d61cf8da65f7444760b2"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/8CpI7egxX4E/m/SmtqtyOKWzYJ","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/8CpI7egxX4E/m/SmtqtyOKWzYJ"},{"reference_url":"https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43274","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43274"},{"reference_url":"https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43666","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43666"},{"reference_url":"https://web.archive.org/web/20120527023027/http://www.securityfocus.com/bid/46291","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20120527023027/http://www.securityfocus.com/bid/46291"},{"reference_url":"https://web.archive.org/web/20200812054342/http://www.securitytracker.com/id?1025064","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200812054342/http://www.securitytracker.com/id?1025064"},{"reference_url":"http://www.debian.org/security/2011/dsa-2247","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2011/dsa-2247"},{"reference_url":"http://www.securityfocus.com/bid/46291","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/46291"},{"reference_url":"http://www.securitytracker.com/id?1025064","reference_id":"","reference_type":"","scores":[],"url":"http://www.securitytracker.com/id?1025064"},{"reference_url":"http://www.vupen.com/english/advisories/2011/0587","reference_id":"","reference_type":"","scores":[],"url":"http://www.vupen.com/english/advisories/2011/0587"},{"reference_url":"http://www.vupen.com/english/advisories/2011/0877","reference_id":"","reference_type":"","scores":[],"url":"http://www.vupen.com/english/advisories/2011/0877"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614864","reference_id":"614864","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614864"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2011-0446","reference_id":"CVE-2011-0446","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2011-0446"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-0446.yml","reference_id":"CVE-2011-0446.YML","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-0446.yml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2011-0446.yml","reference_id":"CVE-2011-0446.YML","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2011-0446.yml"},{"reference_url":"https://github.com/advisories/GHSA-75w6-p6mg-vh8j","reference_id":"GHSA-75w6-p6mg-vh8j","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-75w6-p6mg-vh8j"},{"reference_url":"https://security.gentoo.org/glsa/201412-28","reference_id":"GLSA-201412-28","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201412-28"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53429?format=json","purl":"pkg:gem/rails@2.3.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-26je-urbt-8kee"},{"vulnerability":"VCID-84x9-y43n-8uca"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-bkb7-2vvb-zfeq"},{"vulnerability":"VCID-dyc8-6n4n-cyap"},{"vulnerability":"VCID-fqcm-4af1-e3c1"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-j52w-azvw-1ycn"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-mvfq-sajq-bfb9"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-ns2u-nkbu-7fbp"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-uw5h-1fk2-abat"},{"vulnerability":"VCID-vm51-p4w4-n3du"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@2.3.11"},{"url":"http://public2.vulnerablecode.io/api/packages/53430?format=json","purl":"pkg:gem/rails@3.0.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-26je-urbt-8kee"},{"vulnerability":"VCID-84x9-y43n-8uca"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-bkb7-2vvb-zfeq"},{"vulnerability":"VCID-dyc8-6n4n-cyap"},{"vulnerability":"VCID-f8s8-epzh-3bhw"},{"vulnerability":"VCID-fqcm-4af1-e3c1"},{"vulnerability":"VCID-ghfd-u91m-dbdz"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-j52w-azvw-1ycn"},{"vulnerability":"VCID-kyj5-b8wz-pkgj"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-mvfq-sajq-bfb9"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-ns2u-nkbu-7fbp"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-tc9x-h24m-9ufe"},{"vulnerability":"VCID-uw5h-1fk2-abat"},{"vulnerability":"VCID-vm51-p4w4-n3du"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@3.0.4"}],"aliases":["CVE-2011-0446","GHSA-75w6-p6mg-vh8j"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hud5-xxhh-u3ex"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/10499?format=json","vulnerability_id":"VCID-j52w-azvw-1ycn","summary":"Directory Traversal Vulnerability With Certain Route Configurations\nThe implicit render functionality allows controllers to render a template, even if there is no explicit action with the corresponding name. This module does not perform adequate input sanitization which could allow an attacker to use a specially crafted request to retrieve arbitrary files from the RoR application server.","references":[{"reference_url":"http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T13:25:09Z/"}],"url":"http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf"},{"reference_url":"http://osvdb.org/show/osvdb/106704","reference_id":"","reference_type":"","scores":[],"url":"http://osvdb.org/show/osvdb/106704"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2014-1863.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T13:25:09Z/"}],"url":"http://rhn.redhat.com/errata/RHSA-2014-1863.html"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:0510","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2014:0510"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:0816","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2014:0816"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:1863","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2014:1863"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-0130","reference_id":"","reference_type":"","scores":[{"value":"0.5271","scoring_system":"epss","scoring_elements":"0.97991","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-0130"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1095105","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1095105"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0081","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0081"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0082","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0082"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0130","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0130"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:N/C:P/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://groups.google.com/forum/message/raw?msg=rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T13:25:09Z/"}],"url":"https://groups.google.com/forum/message/raw?msg=rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/NkKc7vTW70o","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/NkKc7vTW70o"},{"reference_url":"https://groups.google.com/forum/#!topic/ruby-security-ann/PyJo7_m-Ehk","reference_id":"","reference_type":"","scores":[],"url":"https://groups.google.com/forum/#!topic/ruby-security-ann/PyJo7_m-Ehk"},{"reference_url":"https://web.archive.org/web/20140518192004/http://www.securityfocus.com/bid/67244","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20140518192004/http://www.securityfocus.com/bid/67244"},{"reference_url":"https://web.archive.org/web/20150319054505/http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20150319054505/http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf"},{"reference_url":"https://web.archive.org/web/20210411041816/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20210411041816/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-0130","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-0130"},{"reference_url":"http://www.securityfocus.com/bid/67244","reference_id":"67244","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T13:25:09Z/"}],"url":"http://www.securityfocus.com/bid/67244"},{"reference_url":"https://access.redhat.com/security/cve/CVE-2014-0130","reference_id":"CVE-2014-0130","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/security/cve/CVE-2014-0130"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-0130","reference_id":"CVE-2014-0130","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-0130"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-0130.yml","reference_id":"CVE-2014-0130.YML","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-0130.yml"},{"reference_url":"https://github.com/advisories/GHSA-6x85-j5j2-27jx","reference_id":"GHSA-6x85-j5j2-27jx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6x85-j5j2-27jx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/50753?format=json","purl":"pkg:gem/rails@3.2.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-26je-urbt-8kee"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-bkb7-2vvb-zfeq"},{"vulnerability":"VCID-dyc8-6n4n-cyap"},{"vulnerability":"VCID-fqcm-4af1-e3c1"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-mvfq-sajq-bfb9"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-ns2u-nkbu-7fbp"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-uw5h-1fk2-abat"},{"vulnerability":"VCID-vm51-p4w4-n3du"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@3.2.18"},{"url":"http://public2.vulnerablecode.io/api/packages/50754?format=json","purl":"pkg:gem/rails@4.0.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-26je-urbt-8kee"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-apra-79g2-wkfn"},{"vulnerability":"VCID-bkb7-2vvb-zfeq"},{"vulnerability":"VCID-ct3m-wed2-6bhq"},{"vulnerability":"VCID-dyc8-6n4n-cyap"},{"vulnerability":"VCID-f4zb-2ajn-w3et"},{"vulnerability":"VCID-fqcm-4af1-e3c1"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-mvfq-sajq-bfb9"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-ns2u-nkbu-7fbp"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-uw5h-1fk2-abat"},{"vulnerability":"VCID-vm51-p4w4-n3du"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@4.0.5"},{"url":"http://public2.vulnerablecode.io/api/packages/50755?format=json","purl":"pkg:gem/rails@4.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-26je-urbt-8kee"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-apra-79g2-wkfn"},{"vulnerability":"VCID-bkb7-2vvb-zfeq"},{"vulnerability":"VCID-ct3m-wed2-6bhq"},{"vulnerability":"VCID-dyc8-6n4n-cyap"},{"vulnerability":"VCID-f4zb-2ajn-w3et"},{"vulnerability":"VCID-fqcm-4af1-e3c1"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-mvfq-sajq-bfb9"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-ns2u-nkbu-7fbp"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-uw5h-1fk2-abat"},{"vulnerability":"VCID-vm51-p4w4-n3du"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@4.1.1"}],"aliases":["CVE-2014-0130","GHSA-6x85-j5j2-27jx"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j52w-azvw-1ycn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/166951?format=json","vulnerability_id":"VCID-mrwn-mkcp-j7dv","summary":"","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8164","reference_id":"","reference_type":"","scores":[{"value":"0.07389","scoring_system":"epss","scoring_elements":"0.91846","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8164"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY"},{"reference_url":"https://hackerone.com/reports/292797","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/292797"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html"},{"reference_url":"https://www.debian.org/security/2020/dsa-4766","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2020/dsa-4766"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8164","reference_id":"CVE-2020-8164","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8164"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8164.yml","reference_id":"CVE-2020-8164.YML","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8164.yml"},{"reference_url":"https://github.com/advisories/GHSA-8727-m6gj-mc37","reference_id":"GHSA-8727-m6gj-mc37","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8727-m6gj-mc37"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/417691?format=json","purl":"pkg:gem/rails@5.2.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-1f8y-2bmg-qufg"},{"vulnerability":"VCID-9k6x-w193-euh4"},{"vulnerability":"VCID-be3d-1x2j-qffu"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-w3hp-78sw-hfa4"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.4.3"},{"url":"http://public2.vulnerablecode.io/api/packages/417692?format=json","purl":"pkg:gem/rails@6.0.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-1f8y-2bmg-qufg"},{"vulnerability":"VCID-7yhn-w7nv-xqf7"},{"vulnerability":"VCID-8c6b-8z6x-2uen"},{"vulnerability":"VCID-9k6x-w193-euh4"},{"vulnerability":"VCID-be3d-1x2j-qffu"},{"vulnerability":"VCID-e4f9-zs85-4bgh"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-nvse-2qzf-n7ba"},{"vulnerability":"VCID-t7pe-vz5p-rfed"},{"vulnerability":"VCID-w3hp-78sw-hfa4"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.3.1"}],"aliases":["CVE-2020-8164","GHSA-8727-m6gj-mc37"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mrwn-mkcp-j7dv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11840?format=json","vulnerability_id":"VCID-mvfq-sajq-bfb9","summary":"Moderate severity vulnerability that affects rails\nCross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.","references":[{"reference_url":"http://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://github.com/rails/rails"},{"reference_url":"http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5"},{"reference_url":"http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1"},{"reference_url":"http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-4214","reference_id":"","reference_type":"","scores":[{"value":"0.01632","scoring_system":"epss","scoring_elements":"0.82215","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-4214"},{"reference_url":"http://secunia.com/advisories/37446","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://secunia.com/advisories/37446"},{"reference_url":"http://secunia.com/advisories/38915","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://secunia.com/advisories/38915"},{"reference_url":"http://support.apple.com/kb/HT4077","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://support.apple.com/kb/HT4077"},{"reference_url":"http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released"},{"reference_url":"http://www.debian.org/security/2011/dsa-2260","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2011/dsa-2260"},{"reference_url":"http://www.debian.org/security/2011/dsa-2301","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2011/dsa-2301"},{"reference_url":"http://www.openwall.com/lists/oss-security/2009/11/27/2","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2009/11/27/2"},{"reference_url":"http://www.openwall.com/lists/oss-security/2009/12/08/3","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2009/12/08/3"},{"reference_url":"http://www.securityfocus.com/bid/37142","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/37142"},{"reference_url":"http://www.securitytracker.com/id?1023245","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securitytracker.com/id?1023245"},{"reference_url":"http://www.vupen.com/english/advisories/2009/3352","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.vupen.com/english/advisories/2009/3352"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=558685","reference_id":"558685","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=558685"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2009-4214","reference_id":"CVE-2009-4214","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2009-4214"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2009-4214.yml","reference_id":"CVE-2009-4214.YML","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2009-4214.yml"},{"reference_url":"https://github.com/advisories/GHSA-9p3v-wf2w-v29c","reference_id":"GHSA-9p3v-wf2w-v29c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9p3v-wf2w-v29c"},{"reference_url":"https://security.gentoo.org/glsa/200912-02","reference_id":"GLSA-200912-02","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/200912-02"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53488?format=json","purl":"pkg:gem/rails@2.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-26je-urbt-8kee"},{"vulnerability":"VCID-6cjf-b88j-n3bw"},{"vulnerability":"VCID-84x9-y43n-8uca"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-bkb7-2vvb-zfeq"},{"vulnerability":"VCID-d7rs-7c74-xkex"},{"vulnerability":"VCID-dyc8-6n4n-cyap"},{"vulnerability":"VCID-dz1r-ae9g-57en"},{"vulnerability":"VCID-fm16-z8wy-6fgz"},{"vulnerability":"VCID-fqcm-4af1-e3c1"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-hud5-xxhh-u3ex"},{"vulnerability":"VCID-j52w-azvw-1ycn"},{"vulnerability":"VCID-kyj5-b8wz-pkgj"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-mvfq-sajq-bfb9"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-ns2u-nkbu-7fbp"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-uw5h-1fk2-abat"},{"vulnerability":"VCID-vm51-p4w4-n3du"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@2.2.2"},{"url":"http://public2.vulnerablecode.io/api/packages/53489?format=json","purl":"pkg:gem/rails@2.3.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-26je-urbt-8kee"},{"vulnerability":"VCID-6cjf-b88j-n3bw"},{"vulnerability":"VCID-84x9-y43n-8uca"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-bkb7-2vvb-zfeq"},{"vulnerability":"VCID-dyc8-6n4n-cyap"},{"vulnerability":"VCID-fqcm-4af1-e3c1"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-hud5-xxhh-u3ex"},{"vulnerability":"VCID-j52w-azvw-1ycn"},{"vulnerability":"VCID-kyj5-b8wz-pkgj"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-mvfq-sajq-bfb9"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-ns2u-nkbu-7fbp"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-uw5h-1fk2-abat"},{"vulnerability":"VCID-vm51-p4w4-n3du"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@2.3.5"}],"aliases":["CVE-2009-4214","GHSA-9p3v-wf2w-v29c"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mvfq-sajq-bfb9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/16834?format=json","vulnerability_id":"VCID-n2ap-zgrd-skhf","summary":"ReDoS based DoS vulnerability in Action Dispatch\nThere is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795. A specially crafted HTTP `If-None-Match` header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22795.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22795.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22795","reference_id":"","reference_type":"","scores":[{"value":"0.01339","scoring_system":"epss","scoring_elements":"0.80316","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22795"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f"},{"reference_url":"https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0"},{"reference_url":"https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592"},{"reference_url":"https://github.com/rails/rails/releases/tag/v6.1.7.1","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v6.1.7.1"},{"reference_url":"https://github.com/rails/rails/releases/tag/v7.0.4.1","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v7.0.4.1"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml"},{"reference_url":"https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050","reference_id":"1030050","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2164799","reference_id":"2164799","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2164799"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22795","reference_id":"CVE-2023-22795","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22795"},{"reference_url":"https://github.com/advisories/GHSA-8xww-x3g3-6jcv","reference_id":"GHSA-8xww-x3g3-6jcv","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8xww-x3g3-6jcv"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:6818","reference_id":"RHSA-2023:6818","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:6818"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/62716?format=json","purl":"pkg:gem/rails@6.1.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9k6x-w193-euh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.1.7.1"},{"url":"http://public2.vulnerablecode.io/api/packages/62712?format=json","purl":"pkg:gem/rails@7.0.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4jjq-jkgc-mkca"},{"vulnerability":"VCID-9k6x-w193-euh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@7.0.4.1"}],"aliases":["CVE-2023-22795","GHSA-8xww-x3g3-6jcv","GMS-2023-56"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n2ap-zgrd-skhf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/13440?format=json","vulnerability_id":"VCID-ns2u-nkbu-7fbp","summary":"Path Traversal in Action View\n# File Content Disclosure in Action View\n\nImpact \n------ \nThere is a possible file content disclosure vulnerability in Action View.  Specially crafted accept headers in combination with calls to `render file:`  can cause arbitrary files on the target server to be rendered, disclosing the  file contents. \n\nThe impact is limited to calls to `render` which render file contents without  a specified accept format.  Impacted code in a controller looks something like this: \n\n``` ruby\nclass UserController < ApplicationController \n  def index \n    render file: \"#{Rails.root}/some/file\" \n  end \nend \n``` \n\nRendering templates as opposed to files is not impacted by this vulnerability. \n\nAll users running an affected release should either upgrade or use one of the workarounds immediately. \n\nReleases \n-------- \nThe 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are available at the normal locations. \n\nWorkarounds \n----------- \nThis vulnerability can be mitigated by specifying a format for file rendering, like this: \n\n``` ruby\nclass UserController < ApplicationController \n  def index \n    render file: \"#{Rails.root}/some/file\", formats: [:html] \n  end \nend \n``` \n\nIn summary, impacted calls to `render` look like this: \n\n``` \nrender file: \"#{Rails.root}/some/file\" \n``` \n\nThe vulnerability can be mitigated by changing to this: \n\n``` \nrender file: \"#{Rails.root}/some/file\", formats: [:html] \n``` \n\nOther calls to `render` are not impacted. \n\nAlternatively, the following monkey patch can be applied in an initializer: \n\n``` ruby\n$ cat config/initializers/formats_filter.rb \n# frozen_string_literal: true \n\nActionDispatch::Request.prepend(Module.new do \n  def formats \n    super().select do |format| \n      format.symbol || format.ref == \"*/*\" \n    end \n  end \nend) \n``` \n\nCredits \n------- \nThanks to John Hawthorn <john@hawthorn.email> of GitHub","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/"}],"url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html"},{"reference_url":"http://packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Content-Disclosure.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/"}],"url":"http://packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Content-Disclosure.html"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:0796","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/"}],"url":"https://access.redhat.com/errata/RHSA-2019:0796"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:1147","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/"}],"url":"https://access.redhat.com/errata/RHSA-2019:1147"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:1149","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/"}],"url":"https://access.redhat.com/errata/RHSA-2019:1149"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:1289","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/"}],"url":"https://access.redhat.com/errata/RHSA-2019:1289"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-5418","reference_id":"","reference_type":"","scores":[{"value":"0.94318","scoring_system":"epss","scoring_elements":"0.99952","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-5418"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://groups.google.com/forum/#%21topic/rubyonrails-security/pFRKI96Sm8Q","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/"}],"url":"https://groups.google.com/forum/#%21topic/rubyonrails-security/pFRKI96Sm8Q"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/zRNVOUhKHrg","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/zRNVOUhKHrg"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA"},{"reference_url":"https://web.archive.org/web/20190313201629/https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20190313201629/https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released"},{"reference_url":"https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released"},{"reference_url":"https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/"}],"url":"https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-5418","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-5418"},{"reference_url":"https://www.exploit-db.com/exploits/46585","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.exploit-db.com/exploits/46585"},{"reference_url":"https://www.exploit-db.com/exploits/46585/","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/"}],"url":"https://www.exploit-db.com/exploits/46585/"},{"reference_url":"http://www.openwall.com/lists/oss-security/2019/03/22/1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/"}],"url":"http://www.openwall.com/lists/oss-security/2019/03/22/1"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924520","reference_id":"924520","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924520"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/46585.py","reference_id":"CVE-2019-5418","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/46585.py"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-5418","reference_id":"CVE-2019-5418","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-5418"},{"reference_url":"https://github.com/advisories/GHSA-86g5-2wh3-gc9j","reference_id":"GHSA-86g5-2wh3-gc9j","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-86g5-2wh3-gc9j"},{"reference_url":"https://usn.ubuntu.com/7646-1/","reference_id":"USN-7646-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7646-1/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/","reference_id":"Y43636TH4D6T46IC6N2RQVJTRFJAAYGA","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56667?format=json","purl":"pkg:gem/rails@4.2.11.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-dyc8-6n4n-cyap"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-w3hp-78sw-hfa4"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@4.2.11.1"},{"url":"http://public2.vulnerablecode.io/api/packages/56668?format=json","purl":"pkg:gem/rails@5.0.7.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-1f8y-2bmg-qufg"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-w3hp-78sw-hfa4"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.0.7.2"},{"url":"http://public2.vulnerablecode.io/api/packages/56669?format=json","purl":"pkg:gem/rails@5.1.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-1f8y-2bmg-qufg"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-w3hp-78sw-hfa4"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.1.6.2"},{"url":"http://public2.vulnerablecode.io/api/packages/56670?format=json","purl":"pkg:gem/rails@5.2.2.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-1f8y-2bmg-qufg"},{"vulnerability":"VCID-9k6x-w193-euh4"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-be3d-1x2j-qffu"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-w3hp-78sw-hfa4"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.2.1"}],"aliases":["CVE-2019-5418","GHSA-86g5-2wh3-gc9j"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ns2u-nkbu-7fbp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/166952?format=json","vulnerability_id":"VCID-sqqx-kuhq-ebhw","summary":"","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00031.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00031.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00034.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00034.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8165","reference_id":"","reference_type":"","scores":[{"value":"0.90128","scoring_system":"epss","scoring_elements":"0.99604","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8165"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":""},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/bv6fW4S0Y1c","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/bv6fW4S0Y1c"},{"reference_url":"https://hackerone.com/reports/413388","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/413388"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html"},{"reference_url":"https://security.netapp.com/advisory/ntap-20250509-0002","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20250509-0002"},{"reference_url":"https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released"},{"reference_url":"https://www.debian.org/security/2020/dsa-4766","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2020/dsa-4766"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8165","reference_id":"CVE-2020-8165","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8165"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2020-8165.yml","reference_id":"CVE-2020-8165.YML","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2020-8165.yml"},{"reference_url":"https://github.com/advisories/GHSA-2p68-f74v-9wc6","reference_id":"GHSA-2p68-f74v-9wc6","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2p68-f74v-9wc6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/417691?format=json","purl":"pkg:gem/rails@5.2.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-1f8y-2bmg-qufg"},{"vulnerability":"VCID-9k6x-w193-euh4"},{"vulnerability":"VCID-be3d-1x2j-qffu"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-w3hp-78sw-hfa4"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.4.3"},{"url":"http://public2.vulnerablecode.io/api/packages/417692?format=json","purl":"pkg:gem/rails@6.0.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-1f8y-2bmg-qufg"},{"vulnerability":"VCID-7yhn-w7nv-xqf7"},{"vulnerability":"VCID-8c6b-8z6x-2uen"},{"vulnerability":"VCID-9k6x-w193-euh4"},{"vulnerability":"VCID-be3d-1x2j-qffu"},{"vulnerability":"VCID-e4f9-zs85-4bgh"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-nvse-2qzf-n7ba"},{"vulnerability":"VCID-t7pe-vz5p-rfed"},{"vulnerability":"VCID-w3hp-78sw-hfa4"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.3.1"}],"aliases":["CVE-2020-8165","GHSA-2p68-f74v-9wc6"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sqqx-kuhq-ebhw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11861?format=json","vulnerability_id":"VCID-sx3y-xa4f-gkcf","summary":"The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks.  NOTE: this is due to an incomplete fix for CVE-2007-5380.","references":[{"reference_url":"http://dev.rubyonrails.org/changeset/8177","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://dev.rubyonrails.org/changeset/8177"},{"reference_url":"http://dev.rubyonrails.org/ticket/10048","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://dev.rubyonrails.org/ticket/10048"},{"reference_url":"http://docs.info.apple.com/article.html?artnum=307179","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://docs.info.apple.com/article.html?artnum=307179"},{"reference_url":"http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2007-6077","reference_id":"","reference_type":"","scores":[{"value":"0.03262","scoring_system":"epss","scoring_elements":"0.8737","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2007-6077"},{"reference_url":"http://secunia.com/advisories/27781","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://secunia.com/advisories/27781"},{"reference_url":"http://secunia.com/advisories/28136","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://secunia.com/advisories/28136"},{"reference_url":"https://rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-release","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-release"},{"reference_url":"http://weblog.rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-release","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-release"},{"reference_url":"http://www.securityfocus.com/bid/26598","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/26598"},{"reference_url":"http://www.us-cert.gov/cas/techalerts/TA07-352A.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.us-cert.gov/cas/techalerts/TA07-352A.html"},{"reference_url":"http://www.vupen.com/english/advisories/2007/4009","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.vupen.com/english/advisories/2007/4009"},{"reference_url":"http://www.vupen.com/english/advisories/2007/4238","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.vupen.com/english/advisories/2007/4238"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=452748","reference_id":"452748","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=452748"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2007-6077","reference_id":"CVE-2007-6077","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2007-6077"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2007-6077.yml","reference_id":"CVE-2007-6077.YML","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2007-6077.yml"},{"reference_url":"https://github.com/advisories/GHSA-p4c6-77gc-694x","reference_id":"GHSA-p4c6-77gc-694x","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p4c6-77gc-694x"},{"reference_url":"https://security.gentoo.org/glsa/200912-02","reference_id":"GLSA-200912-02","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/200912-02"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53539?format=json","purl":"pkg:gem/rails@1.2.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-26je-urbt-8kee"},{"vulnerability":"VCID-84x9-y43n-8uca"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-bkb7-2vvb-zfeq"},{"vulnerability":"VCID-c3hd-njh3-b3bg"},{"vulnerability":"VCID-d7rs-7c74-xkex"},{"vulnerability":"VCID-dyc8-6n4n-cyap"},{"vulnerability":"VCID-fqcm-4af1-e3c1"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-hud5-xxhh-u3ex"},{"vulnerability":"VCID-j52w-azvw-1ycn"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-mvfq-sajq-bfb9"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-ns2u-nkbu-7fbp"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-uw5h-1fk2-abat"},{"vulnerability":"VCID-vm51-p4w4-n3du"},{"vulnerability":"VCID-wj98-mgjt-6uay"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@1.2.6"}],"aliases":["CVE-2007-6077","GHSA-p4c6-77gc-694x"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sx3y-xa4f-gkcf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11828?format=json","vulnerability_id":"VCID-tf9s-mg9q-1kfd","summary":"Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to \"URL-based sessions.\"","references":[{"reference_url":"http://bugs.gentoo.org/show_bug.cgi?id=195315","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://bugs.gentoo.org/show_bug.cgi?id=195315"},{"reference_url":"http://docs.info.apple.com/article.html?artnum=307179","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://docs.info.apple.com/article.html?artnum=307179"},{"reference_url":"http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2007-5380","reference_id":"","reference_type":"","scores":[{"value":"0.05845","scoring_system":"epss","scoring_elements":"0.90689","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2007-5380"},{"reference_url":"http://secunia.com/advisories/27657","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://secunia.com/advisories/27657"},{"reference_url":"http://secunia.com/advisories/27965","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://secunia.com/advisories/27965"},{"reference_url":"http://secunia.com/advisories/28136","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://secunia.com/advisories/28136"},{"reference_url":"http://security.gentoo.org/glsa/glsa-200711-17.xml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://security.gentoo.org/glsa/glsa-200711-17.xml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release"},{"reference_url":"http://www.novell.com/linux/security/advisories/2007_25_sr.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.novell.com/linux/security/advisories/2007_25_sr.html"},{"reference_url":"http://www.securityfocus.com/bid/26096","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/26096"},{"reference_url":"http://www.us-cert.gov/cas/techalerts/TA07-352A.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.us-cert.gov/cas/techalerts/TA07-352A.html"},{"reference_url":"http://www.vupen.com/english/advisories/2007/3508","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.vupen.com/english/advisories/2007/3508"},{"reference_url":"http://www.vupen.com/english/advisories/2007/4238","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.vupen.com/english/advisories/2007/4238"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2007-5380","reference_id":"CVE-2007-5380","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2007-5380"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2007-5380.yml","reference_id":"CVE-2007-5380.YML","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2007-5380.yml"},{"reference_url":"https://github.com/advisories/GHSA-jwhv-rgqc-fqj5","reference_id":"GHSA-jwhv-rgqc-fqj5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jwhv-rgqc-fqj5"},{"reference_url":"https://security.gentoo.org/glsa/200711-17","reference_id":"GLSA-200711-17","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/200711-17"},{"reference_url":"https://security.gentoo.org/glsa/200912-02","reference_id":"GLSA-200912-02","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/200912-02"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53472?format=json","purl":"pkg:gem/rails@1.2.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-26je-urbt-8kee"},{"vulnerability":"VCID-84x9-y43n-8uca"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-bkb7-2vvb-zfeq"},{"vulnerability":"VCID-c3hd-njh3-b3bg"},{"vulnerability":"VCID-d7rs-7c74-xkex"},{"vulnerability":"VCID-dyc8-6n4n-cyap"},{"vulnerability":"VCID-fqcm-4af1-e3c1"},{"vulnerability":"VCID-fqw6-tq5j-2udc"},{"vulnerability":"VCID-gq64-ywx7-jyfq"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-hud5-xxhh-u3ex"},{"vulnerability":"VCID-j52w-azvw-1ycn"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-mvfq-sajq-bfb9"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-ns2u-nkbu-7fbp"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-sx3y-xa4f-gkcf"},{"vulnerability":"VCID-uw5h-1fk2-abat"},{"vulnerability":"VCID-vm51-p4w4-n3du"},{"vulnerability":"VCID-wj98-mgjt-6uay"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@1.2.4"}],"aliases":["CVE-2007-5380","GHSA-jwhv-rgqc-fqj5"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tf9s-mg9q-1kfd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/13470?format=json","vulnerability_id":"VCID-uw5h-1fk2-abat","summary":"Allocation of Resources Without Limits or Throttling\nThere is a possible denial of service vulnerability in Action View (Rails)  where specially crafted accept headers can cause action view to consume % cpu and make the server unresponsive.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:0796","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2019:0796"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:1147","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2019:1147"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:1149","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2019:1149"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:1289","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2019:1289"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-5419","reference_id":"","reference_type":"","scores":[{"value":"0.12118","scoring_system":"epss","scoring_elements":"0.93922","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-5419"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/f4c70c2222180b8d9d924f00af0c7fd632e26715","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/f4c70c2222180b8d9d924f00af0c7fd632e26715"},{"reference_url":"https://github.com/rails/rails/pull/35708","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/pull/35708"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/"},{"reference_url":"https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released"},{"reference_url":"https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/","reference_id":"","reference_type":"","scores":[],"url":"https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/"},{"reference_url":"http://www.openwall.com/lists/oss-security/2019/03/22/1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2019/03/22/1"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924520","reference_id":"924520","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924520"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-5419","reference_id":"CVE-2019-5419","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-5419"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2019-5419.yml","reference_id":"CVE-2019-5419.YML","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2019-5419.yml"},{"reference_url":"https://github.com/advisories/GHSA-m63j-wh5w-c252","reference_id":"GHSA-m63j-wh5w-c252","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m63j-wh5w-c252"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56667?format=json","purl":"pkg:gem/rails@4.2.11.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-dyc8-6n4n-cyap"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-w3hp-78sw-hfa4"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@4.2.11.1"},{"url":"http://public2.vulnerablecode.io/api/packages/56668?format=json","purl":"pkg:gem/rails@5.0.7.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-1f8y-2bmg-qufg"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-w3hp-78sw-hfa4"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.0.7.2"},{"url":"http://public2.vulnerablecode.io/api/packages/56669?format=json","purl":"pkg:gem/rails@5.1.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-1f8y-2bmg-qufg"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-w3hp-78sw-hfa4"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.1.6.2"},{"url":"http://public2.vulnerablecode.io/api/packages/56670?format=json","purl":"pkg:gem/rails@5.2.2.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-1f8y-2bmg-qufg"},{"vulnerability":"VCID-9k6x-w193-euh4"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-be3d-1x2j-qffu"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-w3hp-78sw-hfa4"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.2.1"}],"aliases":["CVE-2019-5419","GHSA-m63j-wh5w-c252"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uw5h-1fk2-abat"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/10877?format=json","vulnerability_id":"VCID-vm51-p4w4-n3du","summary":"Possible Information Leak Vulnerability\nApplications that pass unverified user input to the `render` method in a controller may be vulnerable to an information leak vulnerability. Impacted code will look something like this: ``` def index; render params[:id]; end ``` Carefully crafted requests can cause the above code to render files from unexpected places like outside the application's view directory, and can possibly escalate this to a remote code execution attack.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-2097","reference_id":"","reference_type":"","scores":[{"value":"0.01912","scoring_system":"epss","scoring_elements":"0.83609","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-2097"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:M/Au:N/C:P/I:P/A:P"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/8a1d3ea617ffb0c8ae8467fa439bf63a3bfc4324","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/8a1d3ea617ffb0c8ae8467fa439bf63a3bfc4324"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4"},{"reference_url":"https://groups.google.com/forum/#!topic/ruby-security-ann/ddY6HgqB2z4","reference_id":"","reference_type":"","scores":[],"url":"https://groups.google.com/forum/#!topic/ruby-security-ann/ddY6HgqB2z4"},{"reference_url":"https://web.archive.org/web/20160322002234/http://www.securitytracker.com/id/1035122","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20160322002234/http://www.securitytracker.com/id/1035122"},{"reference_url":"https://web.archive.org/web/20200228015320/http://www.securityfocus.com/bid/83726","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200228015320/http://www.securityfocus.com/bid/83726"},{"reference_url":"https://web.archive.org/web/20201221115217/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20201221115217/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ"},{"reference_url":"http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released"},{"reference_url":"http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/","reference_id":"","reference_type":"","scores":[],"url":"http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"},{"reference_url":"http://www.debian.org/security/2016/dsa-3509","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2016/dsa-3509"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-2097","reference_id":"CVE-2016-2097","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-2097"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-2097.yml","reference_id":"CVE-2016-2097.YML","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-2097.yml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2016-2097.yml","reference_id":"CVE-2016-2097.YML","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2016-2097.yml"},{"reference_url":"https://github.com/advisories/GHSA-vx9j-46rh-fqr8","reference_id":"GHSA-vx9j-46rh-fqr8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vx9j-46rh-fqr8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51537?format=json","purl":"pkg:gem/rails@3.2.22.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-26je-urbt-8kee"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-bkb7-2vvb-zfeq"},{"vulnerability":"VCID-dyc8-6n4n-cyap"},{"vulnerability":"VCID-fqcm-4af1-e3c1"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-mvfq-sajq-bfb9"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-ns2u-nkbu-7fbp"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-uw5h-1fk2-abat"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@3.2.22.2"},{"url":"http://public2.vulnerablecode.io/api/packages/51538?format=json","purl":"pkg:gem/rails@4.1.14.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-26je-urbt-8kee"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-apra-79g2-wkfn"},{"vulnerability":"VCID-bkb7-2vvb-zfeq"},{"vulnerability":"VCID-dyc8-6n4n-cyap"},{"vulnerability":"VCID-fqcm-4af1-e3c1"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-mvfq-sajq-bfb9"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-ns2u-nkbu-7fbp"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-uw5h-1fk2-abat"},{"vulnerability":"VCID-yp5x-mgfj-xbbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@4.1.14.2"}],"aliases":["CVE-2016-2097","GHSA-vx9j-46rh-fqr8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vm51-p4w4-n3du"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11830?format=json","vulnerability_id":"VCID-wj98-mgjt-6uay","summary":"rails is vulnerable to CRLF injection\nCRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function.","references":[{"reference_url":"http://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://github.com/rails/rails"},{"reference_url":"http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2008-5189","reference_id":"","reference_type":"","scores":[{"value":"0.00169","scoring_system":"epss","scoring_elements":"0.37873","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2008-5189"},{"reference_url":"http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing"},{"reference_url":"http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2008-5189","reference_id":"CVE-2008-5189","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2008-5189"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2008-5189.yml","reference_id":"CVE-2008-5189.YML","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2008-5189.yml"},{"reference_url":"https://github.com/advisories/GHSA-jmgf-p46x-982h","reference_id":"GHSA-jmgf-p46x-982h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jmgf-p46x-982h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53476?format=json","purl":"pkg:gem/rails@2.0.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-26je-urbt-8kee"},{"vulnerability":"VCID-84x9-y43n-8uca"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-bkb7-2vvb-zfeq"},{"vulnerability":"VCID-c3hd-njh3-b3bg"},{"vulnerability":"VCID-d7rs-7c74-xkex"},{"vulnerability":"VCID-dyc8-6n4n-cyap"},{"vulnerability":"VCID-fm16-z8wy-6fgz"},{"vulnerability":"VCID-fqcm-4af1-e3c1"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-hud5-xxhh-u3ex"},{"vulnerability":"VCID-j52w-azvw-1ycn"},{"vulnerability":"VCID-kyj5-b8wz-pkgj"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-mvfq-sajq-bfb9"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-ns2u-nkbu-7fbp"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-uw5h-1fk2-abat"},{"vulnerability":"VCID-vm51-p4w4-n3du"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@2.0.5"}],"aliases":["CVE-2008-5189","GHSA-jmgf-p46x-982h"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wj98-mgjt-6uay"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11815?format=json","vulnerability_id":"VCID-bkb7-2vvb-zfeq","summary":"Rails Denial of Service vulnerability\nUnspecified vulnerability in the \"dependency resolution mechanism\" in Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby code via a URL that is not properly handled in the routing code, which leads to a denial of service (application hang) or \"data loss,\" a different vulnerability than CVE-2006-4111.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2006-4112","reference_id":"","reference_type":"","scores":[{"value":"0.07371","scoring_system":"epss","scoring_elements":"0.91837","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2006-4112"},{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/28364","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/28364"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://web.archive.org/web/20200301174340/http://www.securityfocus.com/bid/19454","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200301174340/http://www.securityfocus.com/bid/19454"},{"reference_url":"https://web.archive.org/web/20200804225700/http://www.securityfocus.com/archive/1/442934/100/0/threaded","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200804225700/http://www.securityfocus.com/archive/1/442934/100/0/threaded"},{"reference_url":"https://web.archive.org/web/20200808083046/http://securitytracker.com/id?1016673","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200808083046/http://securitytracker.com/id?1016673"},{"reference_url":"http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure"},{"reference_url":"http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml"},{"reference_url":"http://www.kb.cert.org/vuls/id/699540","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.kb.cert.org/vuls/id/699540"},{"reference_url":"http://www.novell.com/linux/security/advisories/2006_21_sr.html","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.novell.com/linux/security/advisories/2006_21_sr.html"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=382255","reference_id":"382255","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=382255"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2006-4112","reference_id":"CVE-2006-4112","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2006-4112"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2006-4112.yml","reference_id":"CVE-2006-4112.YML","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2006-4112.yml"},{"reference_url":"https://github.com/advisories/GHSA-9wrq-xvmp-xjc8","reference_id":"GHSA-9wrq-xvmp-xjc8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9wrq-xvmp-xjc8"},{"reference_url":"https://security.gentoo.org/glsa/200608-20","reference_id":"GLSA-200608-20","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/200608-20"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53435?format=json","purl":"pkg:gem/rails@1.1.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-26je-urbt-8kee"},{"vulnerability":"VCID-84x9-y43n-8uca"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-bkb7-2vvb-zfeq"},{"vulnerability":"VCID-c3hd-njh3-b3bg"},{"vulnerability":"VCID-d7rs-7c74-xkex"},{"vulnerability":"VCID-dyc8-6n4n-cyap"},{"vulnerability":"VCID-fqcm-4af1-e3c1"},{"vulnerability":"VCID-fqw6-tq5j-2udc"},{"vulnerability":"VCID-gq64-ywx7-jyfq"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-hud5-xxhh-u3ex"},{"vulnerability":"VCID-j52w-azvw-1ycn"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-mvfq-sajq-bfb9"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-ns2u-nkbu-7fbp"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-sx3y-xa4f-gkcf"},{"vulnerability":"VCID-tf9s-mg9q-1kfd"},{"vulnerability":"VCID-uw5h-1fk2-abat"},{"vulnerability":"VCID-vm51-p4w4-n3du"},{"vulnerability":"VCID-wj98-mgjt-6uay"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@1.1.6"}],"aliases":["CVE-2006-4112","GHSA-9wrq-xvmp-xjc8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bkb7-2vvb-zfeq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11809?format=json","vulnerability_id":"VCID-fqcm-4af1-e3c1","summary":"Ruby on Rails vulnerable to code injection\nRuby on Rails before 1.1.5 allows remote attackers to execute Ruby code with \"severe\" or \"serious\" impact via a File Upload request with an HTTP header that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112.","references":[{"reference_url":"http://blog.koehntopp.de/archives/1367-Ruby-On-Rails-Mandatory-Mystery-Patch.html","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://blog.koehntopp.de/archives/1367-Ruby-On-Rails-Mandatory-Mystery-Patch.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2006-4111","reference_id":"","reference_type":"","scores":[{"value":"0.03984","scoring_system":"epss","scoring_elements":"0.88603","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2006-4111"},{"reference_url":"https://github.com/presidentbeef/rails-security-history/blob/master/vulnerabilities.md","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/presidentbeef/rails-security-history/blob/master/vulnerabilities.md"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://web.archive.org/web/20200301174340/http://www.securityfocus.com/bid/19454","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200301174340/http://www.securityfocus.com/bid/19454"},{"reference_url":"https://web.archive.org/web/20200808083046/http://securitytracker.com/id?1016673","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200808083046/http://securitytracker.com/id?1016673"},{"reference_url":"http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits"},{"reference_url":"http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml"},{"reference_url":"http://www.novell.com/linux/security/advisories/2006_21_sr.html","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.novell.com/linux/security/advisories/2006_21_sr.html"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=382255","reference_id":"382255","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=382255"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2006-4111","reference_id":"CVE-2006-4111","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2006-4111"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2006-4111.yml","reference_id":"CVE-2006-4111.YML","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2006-4111.yml"},{"reference_url":"https://github.com/advisories/GHSA-rvpq-5xqx-pfpp","reference_id":"GHSA-rvpq-5xqx-pfpp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rvpq-5xqx-pfpp"},{"reference_url":"https://security.gentoo.org/glsa/200608-20","reference_id":"GLSA-200608-20","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/200608-20"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53435?format=json","purl":"pkg:gem/rails@1.1.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bxj-7h5q-jbdz"},{"vulnerability":"VCID-26je-urbt-8kee"},{"vulnerability":"VCID-84x9-y43n-8uca"},{"vulnerability":"VCID-ajrj-qz9v-27d5"},{"vulnerability":"VCID-bkb7-2vvb-zfeq"},{"vulnerability":"VCID-c3hd-njh3-b3bg"},{"vulnerability":"VCID-d7rs-7c74-xkex"},{"vulnerability":"VCID-dyc8-6n4n-cyap"},{"vulnerability":"VCID-fqcm-4af1-e3c1"},{"vulnerability":"VCID-fqw6-tq5j-2udc"},{"vulnerability":"VCID-gq64-ywx7-jyfq"},{"vulnerability":"VCID-hbym-agkh-fqdj"},{"vulnerability":"VCID-hqc8-8cu1-rfgm"},{"vulnerability":"VCID-hud5-xxhh-u3ex"},{"vulnerability":"VCID-j52w-azvw-1ycn"},{"vulnerability":"VCID-mrwn-mkcp-j7dv"},{"vulnerability":"VCID-mvfq-sajq-bfb9"},{"vulnerability":"VCID-n2ap-zgrd-skhf"},{"vulnerability":"VCID-ns2u-nkbu-7fbp"},{"vulnerability":"VCID-sqqx-kuhq-ebhw"},{"vulnerability":"VCID-sx3y-xa4f-gkcf"},{"vulnerability":"VCID-tf9s-mg9q-1kfd"},{"vulnerability":"VCID-uw5h-1fk2-abat"},{"vulnerability":"VCID-vm51-p4w4-n3du"},{"vulnerability":"VCID-wj98-mgjt-6uay"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@1.1.6"}],"aliases":["CVE-2006-4111","GHSA-rvpq-5xqx-pfpp"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fqcm-4af1-e3c1"}],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@1.1.6"}