Search criteria
7 vulnerabilities found for N/A by Ruby on Rails
CERTFR-2024-AVI-0425
Vulnerability from certfr_avis - Published: - Updated:
Une vulnérabilité a été découverte dans Ruby on Rails. Elle permet à un attaquant de provoquer une exécution de code arbitraire.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Ruby on Rails | N/A | Rails versions 6.x sans le greffon Sprockets assets pipeline et sans la dernière version de Trix | ||
| Ruby on Rails | N/A | Rails versions 7.1.x antérieures à 7.1.3.3 | ||
| Ruby on Rails | N/A | Rails versions 7.0.x antérieures à 7.0.8.2 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Rails versions 6.x sans le greffon Sprockets assets pipeline et sans la derni\u00e8re version de Trix",
"product": {
"name": "N/A",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Rails versions 7.1.x ant\u00e9rieures \u00e0 7.1.3.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Rails versions 7.0.x ant\u00e9rieures \u00e0 7.0.8.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-34341",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34341"
}
],
"links": [],
"reference": "CERTFR-2024-AVI-0425",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-05-21T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Ruby on Rails. Elle permet \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire.",
"title": "Vuln\u00e9rabilit\u00e9 dans Ruby on Rails",
"vendor_advisories": [
{
"published_at": "2024-05-17",
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 85803",
"url": "https://discuss.rubyonrails.org/t/xss-vulnerabilities-in-trix-editor/85803"
}
]
}
CERTFR-2024-AVI-0160
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans Ruby on Rails. Elles permettent à un attaquant de provoquer un déni de service à distance, une atteinte à la confidentialité des données et une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 7.1.x antérieures à 7.1.3.1 | ||
| Ruby on Rails | N/A | Rack versions 3.0.x antérieures à 3.0.9.1 | ||
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions antérieures à 6.1.7.7 | ||
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 7.0.x antérieures à 7.0.8.1 | ||
| Ruby on Rails | N/A | Rack versions antérieures à 2.2.8.1 |
References
| Title | Publication Time | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ruby on Rails versions 7.1.x ant\u00e9rieures \u00e0 7.1.3.1",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Rack versions 3.0.x ant\u00e9rieures \u00e0 3.0.9.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby on Rails versions ant\u00e9rieures \u00e0 6.1.7.7",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby on Rails versions 7.0.x ant\u00e9rieures \u00e0 7.0.8.1",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Rack versions ant\u00e9rieures \u00e0 2.2.8.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2024-25126",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25126"
},
{
"name": "CVE-2024-26143",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26143"
},
{
"name": "CVE-2024-26146",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26146"
},
{
"name": "CVE-2024-26141",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26141"
},
{
"name": "CVE-2024-26142",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26142"
},
{
"name": "CVE-2024-26144",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26144"
}
],
"links": [],
"reference": "CERTFR-2024-AVI-0160",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-02-23T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Ruby on Rails.\nElles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0\ndistance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une injection\nde code indirecte \u00e0 distance (XSS).\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Ruby on Rails",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 84946 du 21 f\u00e9vrier 2024",
"url": "https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 84941 du 21 f\u00e9vrier 2024",
"url": "https://discuss.rubyonrails.org/t/denial-of-service-vulnerability-in-rack-content-type-parsing/84941"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 84944 du 21 f\u00e9vrier 2024",
"url": "https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 84942 du 21 f\u00e9vrier 2024",
"url": "https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 84945 du 21 f\u00e9vrier 2024",
"url": "https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 84947 du 21 f\u00e9vrier 2024",
"url": "https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947"
}
]
}
CERTFR-2022-AVI-540
Vulnerability from certfr_avis - Published: - Updated:
Une vulnérabilité a été découverte dans Ruby on Rails. Elle permet à un attaquant de provoquer une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Ruby on Rails | N/A | Rails::Html::Sanitizer versions antérieures à 1.4.3 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Rails::Html::Sanitizer versions ant\u00e9rieures \u00e0 1.4.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-32209",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32209"
}
],
"links": [],
"reference": "CERTFR-2022-AVI-540",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-06-13T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Ruby on Rails. Elle permet \u00e0 un\nattaquant de provoquer une injection de code indirecte \u00e0 distance (XSS).\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Ruby on Rails",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails ce9PhUANQ6s du 10 juin 2022",
"url": "https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s"
}
]
}
CERTFR-2022-AVI-143
Vulnerability from certfr_avis - Published: - Updated:
Une vulnérabilité a été découverte dans Ruby on Rails. Elle permet à un attaquant de provoquer une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Ruby on Rails | N/A | Rails versions 7.0.x antérieures à 7.0.2.1 | ||
| Ruby on Rails | N/A | Rails versions 5.2.x antérieures à 5.2.6.1 | ||
| Ruby on Rails | N/A | Rails versions 6.1.x antérieures à 6.1.4.5 | ||
| Ruby on Rails | N/A | Rails versions 6.0.x antérieures à 6.0.4.5 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Rails versions 7.0.x ant\u00e9rieures \u00e0 7.0.2.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Rails versions 5.2.x ant\u00e9rieures \u00e0 5.2.6.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Rails versions 6.1.x ant\u00e9rieures \u00e0 6.1.4.5",
"product": {
"name": "N/A",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Rails versions 6.0.x ant\u00e9rieures \u00e0 6.0.4.5",
"product": {
"name": "N/A",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-23633",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23633"
}
],
"links": [],
"reference": "CERTFR-2022-AVI-143",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-02-14T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Ruby on Rails. Elle permet \u00e0 un\nattaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Ruby on Rails",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails du 11 f\u00e9vrier 2022",
"url": "https://groups.google.com/g/rubyonrails-security/c/zlI-qMMwZvQ"
}
]
}
CERTFR-2020-AVI-567
Vulnerability from certfr_avis - Published: - Updated:
Une vulnérabilité a été découverte dans Ruby on Rails. Elle permet à un attaquant de provoquer une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Ruby on Rails | N/A | Rails versions antérieures à 5.2.4.4 | ||
| Ruby on Rails | N/A | Rails versions 6.0.x antérieures à 6.0.3.3 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Rails versions ant\u00e9rieures \u00e0 5.2.4.4",
"product": {
"name": "N/A",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Rails versions 6.0.x ant\u00e9rieures \u00e0 6.0.3.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2020-15169",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15169"
}
],
"links": [],
"reference": "CERTFR-2020-AVI-567",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2020-09-10T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Ruby on Rails. Elle permet \u00e0 un\nattaquant de provoquer une injection de code indirecte \u00e0 distance (XSS).\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Ruby on Rails",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails du 09 septembre 2020",
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/b-C9kSGXYrc"
}
]
}
CERTFR-2020-AVI-275
Vulnerability from certfr_avis - Published: - Updated:
Une vulnérabilité a été découverte dans Ruby on Rails. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance et une atteinte à l'intégrité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Ruby on Rails | N/A | paquet (gem) actionpack_page-caching versions antérieures à 1.2.1 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "paquet (gem) actionpack_page-caching versions ant\u00e9rieures \u00e0 1.2.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2020-8159",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8159"
}
],
"links": [],
"reference": "CERTFR-2020-AVI-275",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2020-05-07T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Ruby on Rails. Elle permet \u00e0 un\nattaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance et\nune atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Ruby on Rails",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails du 06 mai 2020",
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/CFRVkEytdP8"
}
]
}
CERTFR-2018-AVI-522
Vulnerability from certfr_avis - Published: - Updated:
Une vulnérabilité a été découverte dans Ruby on Rails . Elle permet à un attaquant de provoquer une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Ruby on Rails | N/A | Loofah versions antérieures à v2.2.3 |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Loofah versions ant\u00e9rieures \u00e0 v2.2.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2018-16468",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-16468"
}
],
"links": [],
"reference": "CERTFR-2018-AVI-522",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2018-10-31T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Ruby on Rails . Elle permet \u00e0 un\nattaquant de provoquer une injection de code indirecte \u00e0 distance (XSS).\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Ruby on Rails",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails du 30 octobre 2018",
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/mVv9JnbYVd0"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Loofah du 27 octobre 2018",
"url": "https://github.com/flavorjones/loofah/issues/154"
}
]
}