Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-v3r3-bwp5-a3bn
Vulnerability ID VCID-v3r3-bwp5-a3bn
Aliases CVE-2016-0752
GHSA-xrr4-p6fq-hjg7
Summary Path Traversal The Rails gem allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a `..` in a pathname.
Status Published
Exploitability 2.0
Weighted Severity 8.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 7.5 http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178044.html
cvssv3.1 7.5 http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178044.html
generic_textual HIGH http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178044.html
ssvc Attend http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178044.html
cvssv3.1 7.5 http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178069.html
cvssv3.1 7.5 http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178069.html
generic_textual HIGH http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178069.html
ssvc Attend http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178069.html
cvssv3.1 7.5 http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
cvssv3.1 7.5 http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
generic_textual HIGH http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
ssvc Attend http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
cvssv3.1 7.5 http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html
cvssv3.1 7.5 http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html
generic_textual HIGH http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html
ssvc Attend http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html
cvssv3.1 7.5 http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
cvssv3.1 7.5 http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
generic_textual HIGH http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
ssvc Attend http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
cvssv3.1 7.5 http://rhn.redhat.com/errata/RHSA-2016-0296.html
cvssv3.1 7.5 http://rhn.redhat.com/errata/RHSA-2016-0296.html
generic_textual HIGH http://rhn.redhat.com/errata/RHSA-2016-0296.html
ssvc Attend http://rhn.redhat.com/errata/RHSA-2016-0296.html
epss 0.91051 https://api.first.org/data/v1/epss?cve=CVE-2016-0752
epss 0.91051 https://api.first.org/data/v1/epss?cve=CVE-2016-0752
epss 0.91051 https://api.first.org/data/v1/epss?cve=CVE-2016-0752
epss 0.91051 https://api.first.org/data/v1/epss?cve=CVE-2016-0752
cvssv2 6.8 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 7.5 https://github.com/advisories/GHSA-xrr4-p6fq-hjg7
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-xrr4-p6fq-hjg7
generic_textual HIGH https://github.com/advisories/GHSA-xrr4-p6fq-hjg7
cvssv3.1 7.5 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-0752.yml
generic_textual HIGH https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-0752.yml
cvssv3.1 7.5 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2016-0752.yml
generic_textual HIGH https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2016-0752.yml
cvssv3.1 7.5 https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ
cvssv3.1 7.5 https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ
generic_textual HIGH https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ
ssvc Attend https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ
cvssv3 7.5 https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00
cvssv3.1 7.5 https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00
generic_textual HIGH https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00
cvssv2 5.0 https://nvd.nist.gov/vuln/detail/CVE-2016-0752
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2016-0752
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2016-0752
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2016-0752
cvssv3.1 7.5 https://web.archive.org/web/20210618005620/https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ
generic_textual HIGH https://web.archive.org/web/20210618005620/https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ
cvssv3.1 7.5 https://web.archive.org/web/20210621170450/http://www.securityfocus.com/bid/81801
generic_textual HIGH https://web.archive.org/web/20210621170450/http://www.securityfocus.com/bid/81801
cvssv3.1 7.5 https://web.archive.org/web/20210723192420/http://www.securitytracker.com/id/1034816
generic_textual HIGH https://web.archive.org/web/20210723192420/http://www.securitytracker.com/id/1034816
cvssv3.1 7.5 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-0752
generic_textual HIGH https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-0752
cvssv3.1 7.5 https://www.exploit-db.com/exploits/40561
generic_textual HIGH https://www.exploit-db.com/exploits/40561
cvssv3.1 7.5 https://www.exploit-db.com/exploits/40561/
ssvc Attend https://www.exploit-db.com/exploits/40561/
cvssv3.1 7.5 http://www.debian.org/security/2016/dsa-3464
cvssv3.1 7.5 http://www.debian.org/security/2016/dsa-3464
generic_textual HIGH http://www.debian.org/security/2016/dsa-3464
ssvc Attend http://www.debian.org/security/2016/dsa-3464
cvssv3.1 7.5 http://www.openwall.com/lists/oss-security/2016/01/25/13
cvssv3.1 7.5 http://www.openwall.com/lists/oss-security/2016/01/25/13
generic_textual HIGH http://www.openwall.com/lists/oss-security/2016/01/25/13
ssvc Attend http://www.openwall.com/lists/oss-security/2016/01/25/13
cvssv3.1 7.5 http://www.securityfocus.com/bid/81801
cvssv3.1 7.5 http://www.securityfocus.com/bid/81801
generic_textual HIGH http://www.securityfocus.com/bid/81801
ssvc Attend http://www.securityfocus.com/bid/81801
cvssv3.1 7.5 http://www.securitytracker.com/id/1034816
cvssv3.1 7.5 http://www.securitytracker.com/id/1034816
generic_textual HIGH http://www.securitytracker.com/id/1034816
ssvc Attend http://www.securitytracker.com/id/1034816
Reference id Reference type URL
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178044.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178069.html
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
http://rhn.redhat.com/errata/RHSA-2016-0296.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-0752.json
https://api.first.org/data/v1/epss?cve=CVE-2016-0752
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3226
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3227
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7576
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7577
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7581
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0751
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0752
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0753
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ
https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00
https://web.archive.org/web/20210618005620/https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ
https://web.archive.org/web/20210621170450/http://www.securityfocus.com/bid/81801
https://web.archive.org/web/20210723192420/http://www.securitytracker.com/id/1034816
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-0752
https://www.exploit-db.com/exploits/40561
https://www.exploit-db.com/exploits/40561/
http://www.debian.org/security/2016/dsa-3464
http://www.openwall.com/lists/oss-security/2016/01/25/13
http://www.securityfocus.com/bid/81801
http://www.securitytracker.com/id/1034816
1301963 https://bugzilla.redhat.com/show_bug.cgi?id=1301963
cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_module_for_containers:12:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:suse:linux_enterprise_module_for_containers:12:*:*:*:*:*:*:*
CVE-2016-0752 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/40561.rb
CVE-2016-0752 https://nvd.nist.gov/vuln/detail/CVE-2016-0752
CVE-2016-0752.YML https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-0752.yml
CVE-2016-0752.YML https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2016-0752.yml
GHSA-xrr4-p6fq-hjg7 https://github.com/advisories/GHSA-xrr4-p6fq-hjg7
RHSA-2016:0296 https://access.redhat.com/errata/RHSA-2016:0296
RHSA-2016:0454 https://access.redhat.com/errata/RHSA-2016:0454
RHSA-2016:0455 https://access.redhat.com/errata/RHSA-2016:0455
Data source Exploit-DB
Date added Oct. 17, 2016
Description Ruby on Rails - Dynamic Render File Upload / Remote Code Execution (Metasploit)
Ransomware campaign use Known
Source publication date Oct. 17, 2016
Exploit type remote
Platform multiple
Source update date Oct. 25, 2016
Data source KEV
Date added March 25, 2022
Description Directory traversal vulnerability in Action View in Ruby on Rails allows remote attackers to read arbitrary files.
Required action Apply updates per vendor instructions.
Due date April 15, 2022
Note 
https://nvd.nist.gov/vuln/detail/CVE-2016-0752
Ransomware campaign use Unknown
Data source Metasploit
Description This module exploits a remote code execution vulnerability in the explicit render method when leveraging user parameters. This module has been tested across multiple versions of Ruby on Rails. The technique used by this module requires the specified endpoint to be using dynamic render paths, such as the following example: def show render params[:id] end Also, the vulnerable target will need a POST endpoint for the TempFile upload, this can literally be any endpoint. This module doesnt use the log inclusion method of exploitation due to it not being universal enough. Instead, a new code injection technique was found and used whereby an attacker can upload temporary image files against any POST endpoint and use them for the inclusion attack. Finally, you only get one shot at this if you are testing with the builtin rails server, use caution.
Note 
Reliability:
  - unknown-reliability
Stability:
  - unknown-stability
SideEffects:
  - unknown-side-effects
Ransomware campaign use Unknown
Source publication date Oct. 16, 2016
Platform BSD,Linux
Source URL https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/multi/http/rails_dynamic_render_code_exec.rb
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178044.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178044.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-07T13:26:36Z/ Found at http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178044.html
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178069.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178069.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-07T13:26:36Z/ Found at http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178069.html
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-07T13:26:36Z/ Found at http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-07T13:26:36Z/ Found at http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-07T13:26:36Z/ Found at http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at http://rhn.redhat.com/errata/RHSA-2016-0296.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://rhn.redhat.com/errata/RHSA-2016-0296.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-07T13:26:36Z/ Found at http://rhn.redhat.com/errata/RHSA-2016-0296.html
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at https://github.com/advisories/GHSA-xrr4-p6fq-hjg7
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-0752.yml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2016-0752.yml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-07T13:26:36Z/ Found at https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2016-0752
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2016-0752
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at https://nvd.nist.gov/vuln/detail/CVE-2016-0752
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at https://web.archive.org/web/20210618005620/https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at https://web.archive.org/web/20210621170450/http://www.securityfocus.com/bid/81801
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at https://web.archive.org/web/20210723192420/http://www.securitytracker.com/id/1034816
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-0752
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at https://www.exploit-db.com/exploits/40561
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://www.exploit-db.com/exploits/40561/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-07T13:26:36Z/ Found at https://www.exploit-db.com/exploits/40561/
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at http://www.debian.org/security/2016/dsa-3464
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://www.debian.org/security/2016/dsa-3464
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-07T13:26:36Z/ Found at http://www.debian.org/security/2016/dsa-3464
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at http://www.openwall.com/lists/oss-security/2016/01/25/13
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://www.openwall.com/lists/oss-security/2016/01/25/13
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-07T13:26:36Z/ Found at http://www.openwall.com/lists/oss-security/2016/01/25/13
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at http://www.securityfocus.com/bid/81801
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://www.securityfocus.com/bid/81801
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-07T13:26:36Z/ Found at http://www.securityfocus.com/bid/81801
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://www.securitytracker.com/id/1034816
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at http://www.securitytracker.com/id/1034816
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-07T13:26:36Z/ Found at http://www.securitytracker.com/id/1034816
Exploit Prediction Scoring System (EPSS)
Percentile 0.99637
EPSS Score 0.91051
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:47:00.930684+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2016-0752.yml 38.0.0