Search criteria
66 vulnerabilities found for Ruby on Rails by Ruby on Rails
CERTFR-2024-AVI-0889
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans Ruby on Rails. Elles permettent à un attaquant de provoquer un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 7.2.x antérieures à 7.2.1.1 | ||
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 7.0.x antérieures à 7.0.8.5 | ||
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 7.1.x antérieures à 7.1.4.1 | ||
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions antérieures à 6.1.7.9 |
References
| Title | Publication Time | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ruby on Rails versions 7.2.x ant\u00e9rieures \u00e0 7.2.1.1",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby on Rails versions 7.0.x ant\u00e9rieures \u00e0 7.0.8.5",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby on Rails versions 7.1.x ant\u00e9rieures \u00e0 7.1.4.1",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby on Rails versions ant\u00e9rieures \u00e0 6.1.7.9",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-47888",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47888"
},
{
"name": "CVE-2024-47887",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47887"
},
{
"name": "CVE-2024-28103",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28103"
},
{
"name": "CVE-2024-41128",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41128"
},
{
"name": "CVE-2024-32464",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-32464"
},
{
"name": "CVE-2024-47889",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47889"
}
],
"links": [],
"reference": "CERTFR-2024-AVI-0889",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-10-16T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Ruby on Rails. Elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Ruby on Rails",
"vendor_advisories": [
{
"published_at": "2024-10-15",
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 87695",
"url": "https://discuss.rubyonrails.org/t/cve-2024-47889-possible-redos-vulnerability-in-block-format-in-action-mailer/87695"
},
{
"published_at": "2024-10-15",
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 87696",
"url": "https://discuss.rubyonrails.org/t/cve-2024-47888-possible-redos-vulnerability-in-plain-text-for-blockquote-node-in-action-text/87696"
},
{
"published_at": "2024-10-15",
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 87698",
"url": "https://discuss.rubyonrails.org/t/cve-2024-47887-possible-redos-vulnerability-in-http-token-authentication-in-action-controller/87698"
},
{
"published_at": "2024-10-15",
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 87699",
"url": "https://discuss.rubyonrails.org/t/cve-2024-41128-possible-redos-vulnerability-in-query-parameter-filtering-in-action-dispatch/87699"
}
]
}
CERTFR-2024-AVI-0463
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans Ruby on Rails. Elles permettent à un attaquant de provoquer une injection de code indirecte à distance (XSS), un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 7.0.x antérieures à 7.0.8.4 | ||
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 6.1.x antérieures à 6.1.7.8 | ||
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 7.1.x antérieures à 7.1.3.4 |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ruby on Rails versions 7.0.x ant\u00e9rieures \u00e0 7.0.8.4",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby on Rails versions 6.1.x ant\u00e9rieures \u00e0 6.1.7.8",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby on Rails versions 7.1.x ant\u00e9rieures \u00e0 7.1.3.4",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-28103",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28103"
},
{
"name": "CVE-2024-32464",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-32464"
}
],
"links": [],
"reference": "CERTFR-2024-AVI-0463",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-06-05T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Ruby on Rails. Elles permettent \u00e0 un attaquant de provoquer une injection de code indirecte \u00e0 distance (XSS), un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Ruby on Rails",
"vendor_advisories": [
{
"published_at": "2024-06-04",
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 85948",
"url": "https://discuss.rubyonrails.org/t/cve-2024-28103-permissions-policy-is-only-served-on-html-content-type/85948"
},
{
"published_at": "2024-06-04",
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 85949",
"url": "https://discuss.rubyonrails.org/t/cve-2024-32464-actiontext-contentattachments-can-contain-unsanitized-html/85949"
}
]
}
CERTFR-2024-AVI-0160
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans Ruby on Rails. Elles permettent à un attaquant de provoquer un déni de service à distance, une atteinte à la confidentialité des données et une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 7.1.x antérieures à 7.1.3.1 | ||
| Ruby on Rails | N/A | Rack versions 3.0.x antérieures à 3.0.9.1 | ||
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions antérieures à 6.1.7.7 | ||
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 7.0.x antérieures à 7.0.8.1 | ||
| Ruby on Rails | N/A | Rack versions antérieures à 2.2.8.1 |
References
| Title | Publication Time | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ruby on Rails versions 7.1.x ant\u00e9rieures \u00e0 7.1.3.1",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Rack versions 3.0.x ant\u00e9rieures \u00e0 3.0.9.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby on Rails versions ant\u00e9rieures \u00e0 6.1.7.7",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby on Rails versions 7.0.x ant\u00e9rieures \u00e0 7.0.8.1",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Rack versions ant\u00e9rieures \u00e0 2.2.8.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2024-25126",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25126"
},
{
"name": "CVE-2024-26143",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26143"
},
{
"name": "CVE-2024-26146",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26146"
},
{
"name": "CVE-2024-26141",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26141"
},
{
"name": "CVE-2024-26142",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26142"
},
{
"name": "CVE-2024-26144",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26144"
}
],
"links": [],
"reference": "CERTFR-2024-AVI-0160",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-02-23T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Ruby on Rails.\nElles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0\ndistance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une injection\nde code indirecte \u00e0 distance (XSS).\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Ruby on Rails",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 84946 du 21 f\u00e9vrier 2024",
"url": "https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 84941 du 21 f\u00e9vrier 2024",
"url": "https://discuss.rubyonrails.org/t/denial-of-service-vulnerability-in-rack-content-type-parsing/84941"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 84944 du 21 f\u00e9vrier 2024",
"url": "https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 84942 du 21 f\u00e9vrier 2024",
"url": "https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 84945 du 21 f\u00e9vrier 2024",
"url": "https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 84947 du 21 f\u00e9vrier 2024",
"url": "https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947"
}
]
}
CERTFR-2022-AVI-639
Vulnerability from certfr_avis - Published: - Updated:
Une vulnérabilité a été découverte dans Ruby on Rails. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 7.0.x antérieures à 7.0.3.1 | ||
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 6.1.x antérieures à 6.1.6.1 | ||
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions antérieures à 5.2.8.1 | ||
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 6.0.x antérieures à 6.0.5.1 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ruby on Rails versions 7.0.x ant\u00e9rieures \u00e0 7.0.3.1",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby on Rails versions 6.1.x ant\u00e9rieures \u00e0 6.1.6.1",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby on Rails versions ant\u00e9rieures \u00e0 5.2.8.1",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby on Rails versions 6.0.x ant\u00e9rieures \u00e0 6.0.5.1",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-32224",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32224"
}
],
"links": [],
"reference": "CERTFR-2022-AVI-639",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-07-15T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Ruby on Rails. Elle permet \u00e0 un\nattaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Ruby on Rails",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails MmFO3LYQE8U du 12 juillet 2022",
"url": "https://groups.google.com/g/rubyonrails-security/c/MmFO3LYQE8U"
}
]
}
CERTFR-2022-AVI-506
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans Ruby on Rails . Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance et un déni de service à distance.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 2.1.x antérieures à 2.1.4.1 | ||
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions antérieures à 2.0.9.1 | ||
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 2.2.x antérieures à 2.2.3.1 |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ruby on Rails versions 2.1.x ant\u00e9rieures \u00e0 2.1.4.1",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby on Rails versions ant\u00e9rieures \u00e0 2.0.9.1",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby on Rails versions 2.2.x ant\u00e9rieures \u00e0 2.2.3.1",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-30123",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30123"
},
{
"name": "CVE-2022-30122",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30122"
}
],
"links": [],
"reference": "CERTFR-2022-AVI-506",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-05-30T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Ruby on Rails .\nElles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code\narbitraire \u00e0 distance et un d\u00e9ni de service \u00e0 distance.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Ruby on Rails",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails CVE-2022-30123 du 27 mai 2022",
"url": "https://groups.google.com/g/rubyonrails-security/c/PqEYO9ARpq0"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails CVE-2022-30122 du 27 mai 2022",
"url": "https://groups.google.com/g/rubyonrails-security/c/J4PJo_cB-4c"
}
]
}
CERTFR-2022-AVI-389
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans Ruby on Rails. Elles permettent à un attaquant de provoquer une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 6.0.x antérieures à 6.0.4.8 | ||
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions antérieures à 5.2.7.1 | ||
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 7.0.x antérieures à 7.0.2.4 | ||
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 6.1.x antérieures à 6.1.5.1 |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ruby on Rails versions 6.0.x ant\u00e9rieures \u00e0 6.0.4.8",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby on Rails versions ant\u00e9rieures \u00e0 5.2.7.1",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby on Rails versions 7.0.x ant\u00e9rieures \u00e0 7.0.2.4",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby on Rails versions 6.1.x ant\u00e9rieures \u00e0 6.1.5.1",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-22577",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22577"
},
{
"name": "CVE-2022-27777",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27777"
}
],
"links": [],
"reference": "CERTFR-2022-AVI-389",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-04-27T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Ruby on Rails.\nElles permettent \u00e0 un attaquant de provoquer une injection de code\nindirecte \u00e0 distance (XSS).\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Ruby on Rails",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails CVE-2022-22577 du 26 avril 2022",
"url": "https://groups.google.com/g/rubyonrails-security/c/RmWxKvSNgRg"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails CVE-2022-27777 du 26 avril 2022",
"url": "https://groups.google.com/g/rubyonrails-security/c/Yg2tEh2UUqc"
}
]
}
CERTFR-2021-AVI-646
Vulnerability from certfr_avis - Published: - Updated:
Une vulnérabilité a été découverte dans Ruby on Rails. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 6.1.x antérieures à 6.1.4.1 | ||
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 6.0.x antérieures à 6.0.4.1 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ruby on Rails versions 6.1.x ant\u00e9rieures \u00e0 6.1.4.1",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby on Rails versions 6.0.x ant\u00e9rieures \u00e0 6.0.4.1",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2021-22942",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22942"
}
],
"links": [],
"reference": "CERTFR-2021-AVI-646",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2021-08-20T00:00:00.000000"
}
],
"risks": [
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Ruby on Rails. Elle permet \u00e0 un\nattaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Ruby on Rails",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails du 19 ao\u00fbt 2021",
"url": "https://groups.google.com/g/rubyonrails-security/c/wB5tRn7h36c"
}
]
}
CERTFR-2021-AVI-352
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans Ruby-on-rails. Elles permettent à un attaquant de provoquer un déni de service, un contournement de la politique de sécurité et une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions antérieures à 6.1.3.2 |
References
| Title | Publication Time | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ruby on Rails versions ant\u00e9rieures \u00e0 6.1.3.2",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2021-22904",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22904"
},
{
"name": "CVE-2021-22885",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22885"
},
{
"name": "CVE-2021-22902",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22902"
},
{
"name": "CVE-2021-22903",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22903"
}
],
"links": [],
"reference": "CERTFR-2021-AVI-352",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2021-05-06T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Ruby-on-rails.\nElles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service, un\ncontournement de la politique de s\u00e9curit\u00e9 et une atteinte \u00e0 la\nconfidentialit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Ruby on Rails",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby NiQl-48cXYI du 6 mai 2021",
"url": "https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby Pf1TjkOBdyQ du 6 mai 2021",
"url": "https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby 8TxqXEtgSF0 du 6 mai 2021",
"url": "https://groups.google.com/g/rubyonrails-security/c/8TxqXEtgSF0"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby _5ID_ld9u1c du 6 mai 2021",
"url": "https://groups.google.com/g/rubyonrails-security/c/_5ID_ld9u1c"
}
]
}
CERTFR-2021-AVI-115
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans Ruby on Rails. Elles permettent à un attaquant de provoquer un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 4.2.0 à 5.2.x antérieures à 5.2.4.5 | ||
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 6.0 antérieures à 6.0.3.5 | ||
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 6.1 antérieures à 6.1.2.1 |
References
| Title | Publication Time | Tags | |
|---|---|---|---|
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ruby on Rails versions 4.2.0 \u00e0 5.2.x ant\u00e9rieures \u00e0 5.2.4.5",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby on Rails versions 6.0 ant\u00e9rieures \u00e0 6.0.3.5",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby on Rails versions 6.1 ant\u00e9rieures \u00e0 6.1.2.1",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2021-22880",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22880"
},
{
"name": "CVE-2021-22881",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22881"
}
],
"links": [
{
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails du 11 f\u00e9vrier 2021",
"url": "https://groups.google.com/g/rubyonrails-security/c/zN_3qA26l6E"
},
{
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails du 11 f\u00e9vrier 2021",
"url": "https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI"
}
],
"reference": "CERTFR-2021-AVI-115",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2021-02-11T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Ruby on Rails.\nElles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0\ndistance et un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Ruby on Rails",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails du 11 f\u00e9vrier 2021",
"url": null
}
]
}
CERTFR-2020-AVI-380
Vulnerability from certfr_avis - Published: - Updated:
Une vulnérabilité a été découverte dans Ruby on Rails. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 6.x antérieures à 6.0.3.2 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ruby on Rails versions 6.x ant\u00e9rieures \u00e0 6.0.3.2",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2020-8185",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8185"
}
],
"links": [],
"reference": "CERTFR-2020-AVI-380",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2020-06-19T00:00:00.000000"
}
],
"risks": [
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Ruby on Rails. Elle permet \u00e0 un\nattaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Ruby on Rails",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails du 17 juin 2020",
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/pAe9EV8gbM0"
}
]
}
CERTFR-2020-AVI-301
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans Ruby on Rails. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur, un contournement de la politique de sécurité et une injection de requêtes illégitimes par rebond (CSRF).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 6.x antérieures à 6.0.3.1 | ||
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 5.x antérieures à 5.2.4.3 |
References
| Title | Publication Time | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ruby on Rails versions 6.x ant\u00e9rieures \u00e0 6.0.3.1",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby on Rails versions 5.x ant\u00e9rieures \u00e0 5.2.4.3",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2020-8166",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8166"
},
{
"name": "CVE-2020-8165",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8165"
},
{
"name": "CVE-2020-8164",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8164"
},
{
"name": "CVE-2020-8162",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8162"
},
{
"name": "CVE-2020-8167",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8167"
}
],
"links": [],
"reference": "CERTFR-2020-AVI-301",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2020-05-19T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Ruby on Rails.\nElles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non\nsp\u00e9cifi\u00e9 par l\u0027\u00e9diteur, un contournement de la politique de s\u00e9curit\u00e9 et\nune injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF).\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Ruby on Rails",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails CVE-2020-8167 du 18 mai 2020",
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails CVE-2020-8164 du 18 mai 2020",
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails CVE-2020-8162 du 18 mai 2020",
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3946mreQ"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails CVE-2020-8166 du 18 mai 2020",
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails CVE-2020-8165 du 18 mai 2020",
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c"
}
]
}
CERTFR-2020-AVI-297
Vulnerability from certfr_avis - Published: - Updated:
Une vulnérabilité a été découverte dans Ruby on Rails. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions antérieures à 4.2.11.3 |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ruby on Rails versions ant\u00e9rieures \u00e0 4.2.11.3",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2020-8163",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8163"
}
],
"links": [],
"reference": "CERTFR-2020-AVI-297",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2020-05-18T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Ruby on Rails. Elle permet \u00e0 un\nattaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Ruby on Rails",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails du 15 mai 2020",
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/hWuKcHyoKh0"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails du 16 mai 2020",
"url": "https://weblog.rubyonrails.org/releases/"
}
]
}
CERTFR-2020-AVI-270
Vulnerability from certfr_avis - Published: - Updated:
Une vulnérabilité a été découverte dans Ruby on Rails . Elle permet à un attaquant de provoquer une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions antérieures à 5.1.1 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ruby on Rails versions ant\u00e9rieures \u00e0 5.1.1",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2020-8151",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8151"
}
],
"links": [],
"reference": "CERTFR-2020-AVI-270",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2020-05-06T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Ruby on Rails . Elle permet \u00e0 un\nattaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Ruby on Rails",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails du 05 mai 2020",
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/pktoF4VmiM8"
}
]
}
CERTFR-2020-AVI-165
Vulnerability from certfr_avis - Published: - Updated:
Une vulnérabilité a été découverte dans Ruby on Rails. Elle permet à un attaquant de provoquer une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Ruby on Rails | Ruby on Rails | Ruby on Rails 6.x versions antérieures à 6.0.2.2 | ||
| Ruby on Rails | Ruby on Rails | Ruby on Rails 5.2.x versions antérieures à 5.2.4 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ruby on Rails 6.x versions ant\u00e9rieures \u00e0 6.0.2.2",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby on Rails 5.2.x versions ant\u00e9rieures \u00e0 5.2.4",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2020-5627",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-5627"
}
],
"links": [],
"reference": "CERTFR-2020-AVI-165",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2020-03-20T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Ruby on Rails. Elle permet \u00e0 un\nattaquant de provoquer une injection de code indirecte \u00e0 distance (XSS).\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Ruby on Rails",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 55reWMM_Pg8 du 19 mars 2020",
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8"
}
]
}
CERTFR-2019-AVI-111
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans Ruby On Rails. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service et une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Ruby on Rails | Ruby on Rails | Ruby On Rails versions 5.0.x antérieures à 5.0.7.2 | ||
| Ruby on Rails | Ruby on Rails | Ruby On Rails versions 4.2.x antérieures à 4.2.11.1 | ||
| Ruby on Rails | Ruby on Rails | Ruby On Rails versions 5.2.x antérieures à 5.2.2.1 | ||
| Ruby on Rails | Ruby on Rails | Ruby On Rails versions 5.1.x antérieures à 5.1.6.2 | ||
| Ruby on Rails | Ruby on Rails | Ruby On Rails versions 6.0.0.x antérieures à 6.0.0.beta3 |
References
| Title | Publication Time | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ruby On Rails versions 5.0.x ant\u00e9rieures \u00e0 5.0.7.2",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby On Rails versions 4.2.x ant\u00e9rieures \u00e0 4.2.11.1",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby On Rails versions 5.2.x ant\u00e9rieures \u00e0 5.2.2.1",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby On Rails versions 5.1.x ant\u00e9rieures \u00e0 5.1.6.2",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby On Rails versions 6.0.0.x ant\u00e9rieures \u00e0 6.0.0.beta3",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2019-5419",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-5419"
},
{
"name": "CVE-2019-5418",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-5418"
},
{
"name": "CVE-2019-5420",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-5420"
}
],
"links": [],
"reference": "CERTFR-2019-AVI-111",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2019-03-14T00:00:00.000000"
},
{
"description": "Ajout d\u0027un bulletin de s\u00e9curit\u00e9",
"revision_date": "2019-03-26T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Ruby On Rails.\nElles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code\narbitraire \u00e0 distance, un d\u00e9ni de service et une atteinte \u00e0 la\nconfidentialit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Ruby On Rails",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby On Rails CVE-2019-5418 Amendment du 22 mars 2019",
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/zRNVOUhKHrg"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby On Rails CVE-2019-5418 du 13 mars 2019",
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby On Rails CVE-2019-5419 du 13 mars 2019",
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby On Rails CVE-2019-5420 du 13 mars 2019",
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/IsQKvDqZdKw"
}
]
}