Search for packages
| purl | pkg:gem/actionpack@4.1.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1xgz-hwng-n3eq
Aliases: CVE-2020-8185 GHSA-c6qr-h5vq-59jc |
Untrusted users can run pending migrations in production in Rails There is a vulnerability in versions of Rails prior to 6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production. This vulnerability has been assigned the CVE identifier CVE-2020-8185. Versions Affected: 6.0.0 < rails < 6.0.3.2 Not affected: Applications with `config.action_dispatch.show_exceptions = false` (this is not a default setting in production) Fixed Versions: rails >= 6.0.3.2 Impact ------ Using this issue, an attacker would be able to execute any migrations that are pending for a Rails app running in production mode. It is important to note that an attacker is limited to running migrations the application developer has already defined in their application and ones that have not already run. Workarounds ----------- Until such time as the patch can be applied, application developers should disable the ActionDispatch middleware in their production environment via a line such as this one in their config/environment/production.rb: `config.middleware.delete ActionDispatch::ActionableExceptions` |
Affected by 18 other vulnerabilities. |
|
VCID-333w-aacz-mfcr
Aliases: CVE-2014-7829 GHSA-h56m-vwxc-3qpw |
Arbitrary file existence disclosure Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application's root directory. The files will not be served, but attackers can determine whether the file exists. This only impacts Rails applications that enable static file serving at runtime. For example, the application's production configuration will say: `config.serve_static_assets = true` |
Affected by 37 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 32 other vulnerabilities. Affected by 31 other vulnerabilities. |
|
VCID-3x4p-t3yb-3yak
Aliases: GHSA-5xmj-wm96-fmw8 |
Moderate severity vulnerability that affects actionpack Withdrawn, accidental duplicate publish. Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a \ (backslash) character, a similar issue to CVE-2014-7818. |
Affected by 36 other vulnerabilities. |
|
VCID-3zdr-vasc-a7cn
Aliases: CVE-2009-3009 GHSA-8qrh-h9m2-5fvf OSV-57666 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper. | There are no reported fixed by versions. |
|
VCID-42dz-pxpv-qff3
Aliases: GHSA-hx46-vwmx-wx95 |
High severity vulnerability that affects actionpack Withdrawn, accidental duplicate publish. Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method. |
Affected by 26 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-49pq-vg95-jkh2
Aliases: CVE-2011-0447 GHSA-24fg-p96v-hxh8 |
Cross-Site Request Forgery (CSRF) Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage "combinations of browser plugins and HTTP redirects," a related issue to CVE-2011-0696. | There are no reported fixed by versions. |
|
VCID-4yst-m2tc-t3de
Aliases: GHSA-544j-77x9-h938 |
Moderate severity vulnerability that affects actionpack Withdrawn, accidental duplicate publish. actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in Ruby on Rails 4.x before 4.2.5.1 and 5.x before 5.0.0.beta1.1 allows remote attackers to cause a denial of service (superfluous caching and memory consumption) by leveraging an application's use of a wildcard controller route. |
Affected by 29 other vulnerabilities. Affected by 28 other vulnerabilities. |
|
VCID-63gy-6njy-kbd8
Aliases: CVE-2023-22792 GHSA-p84v-45xj-wwqj GMS-2023-58 |
ReDoS based DoS vulnerability in Action Dispatch There is a possible regular expression based DoS vulnerability in Action Dispatch. Specially crafted cookies, in combination with a specially crafted `X_FORWARDED_HOST` header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. |
Affected by 7 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-6j55-bstz-yybj
Aliases: CVE-2011-0449 GHSA-4ww3-3rxj-8v6q |
High severity vulnerability that affects actionpack actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.4, when a case-insensitive filesystem is used, does not properly implement filters associated with the list of available templates, which allows remote attackers to bypass intended access restrictions via an action name that uses an unintended case for alphabetic characters. | There are no reported fixed by versions. |
|
VCID-7f5r-9h1g-nuch
Aliases: CVE-2009-3086 GHSA-fg9w-g6m4-557j |
Exposure of Sensitive Information to an Unauthorized Actor A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts. | There are no reported fixed by versions. |
|
VCID-9hq5-3usy-5fhq
Aliases: CVE-2016-0751 GHSA-ffpv-c4hm-3x6v |
Possible Object Leak and Denial of Service attack A carefully crafted `Accept` header can cause a global cache of mime types to grow indefinitely which can lead to a possible denial of service attack in Action Pack. |
Affected by 29 other vulnerabilities. Affected by 28 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-a6sp-18av-wya6
Aliases: CVE-2020-8164 GHSA-8727-m6gj-mc37 |
Possible Strong Parameters Bypass in ActionPack There is a strong parameters bypass vector in ActionPack. Versions Affected: rails <= 6.0.3 Not affected: rails < 5.0.0 Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1 Impact ------ In some cases user supplied information can be inadvertently leaked from Strong Parameters. Specifically the return value of `each`, or `each_value`, or `each_pair` will return the underlying "untrusted" hash of data that was read from the parameters. Applications that use this return value may be inadvertently use untrusted user input. Impacted code will look something like this: ``` def update # Attacker has included the parameter: `{ is_admin: true }` User.update(clean_up_params) end def clean_up_params params.each { |k, v| SomeModel.check(v) if k == :name } end ``` Note the mistaken use of `each` in the `clean_up_params` method in the above example. Workarounds ----------- Do not use the return values of `each`, `each_value`, or `each_pair` in your application. |
Affected by 14 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-bjwf-uhyk-63aj
Aliases: CVE-2015-7576 GHSA-p692-7mm3-3fxg |
Timing attack vulnerability in basic authentication Due to the way that Action Controller compares user names and passwords in basic authentication authorization code, it is possible for an attacker to analyze the time taken by a response and intuit the password. You can tell you application is vulnerable to this attack by looking for `http_basic_authenticate_with` method calls in your application. |
Affected by 29 other vulnerabilities. Affected by 28 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-cdnw-t8n1-23ep
Aliases: CVE-2011-3187 GHSA-3vfw-7rcp-3xgm |
Improper Input Validation The to_s method in actionpack/lib/action_dispatch/middleware/remote_ip.rb in Ruby on Rails 3.0.5 does not validate the X-Forwarded-For header in requests from IP addresses on a Class C network, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header. | There are no reported fixed by versions. |
|
VCID-cnqr-6e98-5kgk
Aliases: CVE-2011-0446 GHSA-75w6-p6mg-vh8j |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value. | There are no reported fixed by versions. |
|
VCID-d15q-6ukb-wfff
Aliases: CVE-2015-7581 GHSA-9h6g-gp95-x3q5 |
Object leak vulnerability for wildcard controller routes Users that have a route that contains the string `:controller` are susceptible to objects being leaked globally which can lead to unbounded memory growth. To identify if your application is vulnerable, look for routes that contain `:controller`. |
Affected by 29 other vulnerabilities. Affected by 28 other vulnerabilities. |
|
VCID-dd9p-x7k3-37ea
Aliases: CVE-2023-28362 GHSA-4g8v-vg43-wpgf |
Actionpack has possible cross-site scripting vulnerability via User Supplied Values to redirect_to The `redirect_to` method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. This vulnerability has been assigned the CVE identifier CVE-2023-28362. Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4 |
Affected by 5 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-ehbj-aezy-d7h4
Aliases: CVE-2024-26142 GHSA-jjhx-jhvp-74wq |
Rails has possible ReDoS vulnerability in Accept header parsing in Action Dispatch # Possible ReDoS vulnerability in Accept header parsing in Action Dispatch There is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-26142. Versions Affected: >= 7.1.0, < 7.1.3.1 Not affected: < 7.1.0 Fixed Versions: 7.1.3.1 Impact ------ Carefully crafted Accept headers can cause Accept header parsing in Action Dispatch to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or use one of the workarounds immediately. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- There are no feasible workarounds for this issue. Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 7-1-accept-redox.patch - Patch for 7.1 series Credits ------- Thanks [svalkanov](https://hackerone.com/svalkanov) for the report and patch! |
Affected by 4 other vulnerabilities. |
|
VCID-g3rk-djae-pkeh
Aliases: CVE-2024-54133 GHSA-vfm5-rmrh-j26v |
Possible Content Security Policy bypass in Action Dispatch There is a possible Cross Site Scripting (XSS) vulnerability in the `content_security_policy` helper in Action Pack. Impact ------ Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input. Credits ------- Thanks to [ryotak](https://hackerone.com/ryotak) for the report! |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-h8gs-ansa-9bd9
Aliases: GHSA-m53f-rhq8-q6hf |
Moderate severity vulnerability that affects actionpack Withdrawn, accidental duplicate publish. actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header. |
Affected by 29 other vulnerabilities. Affected by 28 other vulnerabilities. |
|
VCID-hmp2-rmzv-wkhg
Aliases: CVE-2011-2929 GHSA-r7q2-5gqg-6c7q |
Improper Input Validation The template selection functionality in actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob characters, which allows remote attackers to render arbitrary views via a crafted URL, related to a "filter skipping vulnerability." | There are no reported fixed by versions. |
|
VCID-hppf-a715-r7b2
Aliases: CVE-2023-22795 GHSA-8xww-x3g3-6jcv GMS-2023-56 |
ReDoS based DoS vulnerability in Action Dispatch There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795. A specially crafted HTTP `If-None-Match` header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. |
Affected by 7 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-j24x-nhsb-yug6
Aliases: CVE-2011-2197 GHSA-v9v4-7jp6-8c73 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method. | There are no reported fixed by versions. |
|
VCID-knsd-pv15-tydx
Aliases: CVE-2011-2931 GHSA-v5jg-558j-q67c |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name. | There are no reported fixed by versions. |
|
VCID-mnkw-23eu-bkgc
Aliases: CVE-2020-8166 GHSA-jp5v-5gx4-jmj9 |
Ability to forge per-form CSRF tokens in Rails It is possible to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token for any action for that session. Impact ------ Given the ability to extract the global CSRF token, an attacker would be able to construct a per-form CSRF token for that session. Workarounds ----------- This is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded. |
Affected by 14 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-msda-xqbp-qfdd
Aliases: CVE-2021-22903 GHSA-5hq2-xf89-9jxq |
Possible Open Redirect Vulnerability in Action Pack There is a possible Open Redirect Vulnerability in Action Pack. Versions Affected: >= v6.1.0.rc2 Not affected: < v6.1.0.rc2 Fixed Versions: 6.1.3.2 Impact ------ This is similar to CVE-2021-22881. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Since rails/rails@9bc7ea5, strings in config.hosts that do not have a leading dot are converted to regular expressions without proper escaping. This causes, for example, config.hosts << "sub.example.com" to permit a request with a Host header value of sub-example.com. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- The following monkey patch put in an initializer can be used as a workaround. ```ruby class ActionDispatch::HostAuthorization::Permissions def sanitize_string(host) if host.start_with?(".") /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i else /\A#{Regexp.escape host}\z/i end end end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 6-1-open-redirect.patch - Patch for 6.1 series Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks Jonathan Hefner (https://hackerone.com/jonathanhefner) for reporting this bug! |
Affected by 13 other vulnerabilities. |
|
VCID-n8cc-3stk-97b5
Aliases: GHSA-23v3-qfrj-wmgh |
Moderate severity vulnerability that affects actionpack Withdrawn, accidental duplicate publish. Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence. |
Affected by 37 other vulnerabilities. |
|
VCID-p5mc-r1rg-5ff7
Aliases: CVE-2022-27777 GHSA-ch3h-j2vf-95pv GMS-2022-1138 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in actionview. |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-phxs-zet8-ryh3
Aliases: CVE-2012-2660 GHSA-hgpp-pp89-4fgf OSV-82610 |
SQL Injection Ruby on Rails contains a flaw related to the way ActiveRecord handles parameters in conjunction with the way Rack parses query parameters. This issue may allow an attacker to inject arbitrary `IS NULL` clauses in to application SQL queries. This may also allow an attacker to have the SQL query check for `NULL` in arbitrary places. | There are no reported fixed by versions. |
|
VCID-rps2-k24p-9qgq
Aliases: CVE-2011-4319 GHSA-xxr8-833v-c7wc OSV-77199 |
Translate helper method which may allow an attacker to insert arbitrary code into a page The helper method for i18n translations has a convention whereby translations strings with a name ending in 'html' are considered HTML safe. There is also a mechanism for interpolation. It has been discovered that these 'html' strings allow arbitrary values to be contained in the interpolated input, and these values are not escaped. | There are no reported fixed by versions. |
|
VCID-s5ah-tf63-a7cw
Aliases: CVE-2016-2098 GHSA-78rc-8c29-p45g |
Improper Input Validation The Rails gem allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method. |
Affected by 26 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-sfyc-jewr-wuf5
Aliases: CVE-2024-47887 GHSA-vfg9-r3fq-jvx4 |
Possible ReDoS vulnerability in HTTP Token authentication in Action Controller There is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. This vulnerability has been assigned the CVE identifier CVE-2024-47887. Impact ------ For applications using HTTP Token authentication via `authenticate_or_request_with_http_token` or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Users on Ruby 3.2 are unaffected by this issue. Credits ------- Thanks to [scyoon](https://hackerone.com/scyoon) for reporting |
Affected by 1 other vulnerability. Affected by 6 other vulnerabilities. Affected by 1 other vulnerability. Affected by 4 other vulnerabilities. Affected by 1 other vulnerability. Affected by 4 other vulnerabilities. Affected by 1 other vulnerability. Affected by 3 other vulnerabilities. |
|
VCID-sgdb-985e-4uej
Aliases: CVE-2024-41128 GHSA-x76w-6vjr-8xgj |
Possible ReDoS vulnerability in query parameter filtering in Action Dispatch There is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-41128. Impact ------ Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Users on Ruby 3.2 are unaffected by this issue. Credits ------- Thanks to [scyoon](https://hackerone.com/scyoon) for the report and patches! |
Affected by 1 other vulnerability. Affected by 6 other vulnerabilities. Affected by 1 other vulnerability. Affected by 4 other vulnerabilities. Affected by 1 other vulnerability. Affected by 4 other vulnerabilities. Affected by 1 other vulnerability. Affected by 3 other vulnerabilities. |
|
VCID-tt6r-bytq-4fa4
Aliases: CVE-2012-2694 GHSA-q34c-48gc-m9g8 |
actionpack allows remote attackers to bypass database-query restrictions, perform NULL checks via crafted request `actionpack/lib/action_dispatch/http/request.rb` in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain `['xyz', nil]` values, a related issue to CVE-2012-2660. | There are no reported fixed by versions. |
|
VCID-v3r3-bwp5-a3bn
Aliases: CVE-2016-0752 GHSA-xrr4-p6fq-hjg7 |
Path Traversal The Rails gem allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a `..` in a pathname. |
Affected by 29 other vulnerabilities. Affected by 28 other vulnerabilities. |
|
VCID-vgm2-8wjy-x7ed
Aliases: CVE-2008-7248 GHSA-8fqx-7pv4-3jwm |
Improper Input Validation Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain. | There are no reported fixed by versions. |
|
VCID-wg3a-j2dp-ayh4
Aliases: CVE-2021-22904 GHSA-7wjx-3g7j-8584 |
Possible DoS Vulnerability in Action Controller Token Authentication There is a possible DoS vulnerability in the Token Authentication logic in Action Controller. Versions Affected: >= 4.0.0 Not affected: < 4.0.0 Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 Impact ------ Impacted code uses `authenticate_or_request_with_http_token` or `authenticate_with_http_token` for request authentication. Impacted code will look something like this: ``` class PostsController < ApplicationController before_action :authenticate private def authenticate authenticate_or_request_with_http_token do |token, options| # ... end end end ``` All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- The following monkey patch placed in an initializer can be used to work around the issue: ```ruby module ActionController::HttpAuthentication::Token AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/ end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 5-2-http-authentication-dos.patch - Patch for 5.2 series * 6-0-http-authentication-dos.patch - Patch for 6.0 series * 6-1-http-authentication-dos.patch - Patch for 6.1 series Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thank you to https://hackerone.com/wonda_tea_coffee for reporting this issue! |
Affected by 11 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-ynqu-cjn9-fqf2
Aliases: GHSA-vwfg-qj3r-6v3r |
Moderate severity vulnerability that affects actionpack Withdrawn, accidental duplicate publish. The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences. |
Affected by 29 other vulnerabilities. Affected by 28 other vulnerabilities. |
|
VCID-zkvd-bfd6-t7dg
Aliases: CVE-2014-7818 GHSA-29gr-w57f-rpfw |
Arbitrary file existence disclosure Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application's root directory. The files will not be served, but attackers can determine whether the file exists. This only impacts Rails applications that enable static file serving at runtime. For example, the application's production configuration will say: `config.serve_static_assets = true` |
Affected by 37 other vulnerabilities. Affected by 32 other vulnerabilities. Affected by 31 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||