Search criteria

151 vulnerabilities found for ruby_on_rails by rubyonrails

FKIE_CVE-2017-17919

Vulnerability from fkie_nvd - Published: 2017-12-29 16:29 - Updated: 2025-04-20 01:37
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
SQL injection vulnerability in the 'order' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id desc' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input
References
cve@mitre.orghttps://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/Exploit, Third Party Advisory
Impacted products
Vendor Product Version
rubyonrails ruby_on_rails *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F46C1792-F008-4AF6-A46D-1E2B262EC13F",
              "versionEndIncluding": "5.1.4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [
    {
      "sourceIdentifier": "cve@mitre.org",
      "tags": [
        "disputed"
      ]
    }
  ],
  "descriptions": [
    {
      "lang": "en",
      "value": "SQL injection vulnerability in the \u0027order\u0027 method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the \u0027id desc\u0027 parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input"
    },
    {
      "lang": "es",
      "value": "**EN DISPUTA** Vulnerabilidad de inyecci\u00f3n SQL en el m\u00e9todo \"order\" en Ruby on Rails 5.1.4 y anteriores permite que atacantes remotos ejecuten comandos SQL arbitrarios mediante el par\u00e1metro \"id desc\". NOTA: El fabricante rechaza este problema porque la documentaci\u00f3n indica que este m\u00e9todo no esta destinado a utilizarse con datos de entrada no fiables."
    }
  ],
  "id": "CVE-2017-17919",
  "lastModified": "2025-04-20T01:37:25.860",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2017-12-29T16:29:00.297",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

FKIE_CVE-2017-17920

Vulnerability from fkie_nvd - Published: 2017-12-29 16:29 - Updated: 2025-04-20 01:37
Severity ?
8.1 (High) - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
SQL injection vulnerability in the 'reorder' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input
References
cve@mitre.orghttps://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/Exploit, Third Party Advisory
Impacted products
Vendor Product Version
rubyonrails ruby_on_rails *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F46C1792-F008-4AF6-A46D-1E2B262EC13F",
              "versionEndIncluding": "5.1.4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [
    {
      "sourceIdentifier": "cve@mitre.org",
      "tags": [
        "disputed"
      ]
    }
  ],
  "descriptions": [
    {
      "lang": "en",
      "value": "SQL injection vulnerability in the \u0027reorder\u0027 method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the \u0027name\u0027 parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input"
    },
    {
      "lang": "es",
      "value": "** EN DISPUTA ** La vulnerabilidad de inyecci\u00f3n SQL en el m\u00e9todo \u0027reorder\u0027 de Ruby on Rails 5.1.4 y anteriores permite a los atacantes remotos ejecutar comandos SQL arbitrarios a trav\u00e9s del par\u00e1metro \u0027name\u0027. NOTA: El proveedor no est\u00e1 de acuerdo con este punto porque la documentaci\u00f3n indica que este m\u00e9todo no est\u00e1 dise\u00f1ado para ser utilizado con datos no confiables."
    }
  ],
  "id": "CVE-2017-17920",
  "lastModified": "2025-04-20T01:37:25.860",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2017-12-29T16:29:00.343",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

FKIE_CVE-2016-6316

Vulnerability from fkie_nvd - Published: 2016-09-07 19:28 - Updated: 2025-04-12 10:46
Severity ?
6.1 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used as attribute values in tag handlers.
References
secalert@redhat.comhttp://rhn.redhat.com/errata/RHSA-2016-1855.html
secalert@redhat.comhttp://rhn.redhat.com/errata/RHSA-2016-1856.html
secalert@redhat.comhttp://rhn.redhat.com/errata/RHSA-2016-1857.html
secalert@redhat.comhttp://rhn.redhat.com/errata/RHSA-2016-1858.html
secalert@redhat.comhttp://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/Release Notes, Vendor Advisory
secalert@redhat.comhttp://www.debian.org/security/2016/dsa-3651Third Party Advisory
secalert@redhat.comhttp://www.openwall.com/lists/oss-security/2016/08/11/3Third Party Advisory
secalert@redhat.comhttp://www.securityfocus.com/bid/92430
secalert@redhat.comhttps://groups.google.com/forum/#%21topic/ruby-security-ann/8B2iV2tPRSE
secalert@redhat.comhttps://puppet.com/security/cve/cve-2016-6316
af854a3a-2127-422b-91ae-364da2661108http://rhn.redhat.com/errata/RHSA-2016-1855.html
af854a3a-2127-422b-91ae-364da2661108http://rhn.redhat.com/errata/RHSA-2016-1856.html
af854a3a-2127-422b-91ae-364da2661108http://rhn.redhat.com/errata/RHSA-2016-1857.html
af854a3a-2127-422b-91ae-364da2661108http://rhn.redhat.com/errata/RHSA-2016-1858.html
af854a3a-2127-422b-91ae-364da2661108http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/Release Notes, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.debian.org/security/2016/dsa-3651Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2016/08/11/3Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/92430
af854a3a-2127-422b-91ae-364da2661108https://groups.google.com/forum/#%21topic/ruby-security-ann/8B2iV2tPRSE
af854a3a-2127-422b-91ae-364da2661108https://puppet.com/security/cve/cve-2016-6316
Impacted products
Vendor Product Version
rubyonrails rails 3.0.0
rubyonrails rails 3.0.0
rubyonrails rails 3.0.0
rubyonrails rails 3.0.0
rubyonrails rails 3.0.0
rubyonrails rails 3.0.0
rubyonrails rails 3.0.0
rubyonrails rails 3.0.1
rubyonrails rails 3.0.2
rubyonrails rails 3.0.3
rubyonrails rails 3.0.4
rubyonrails rails 3.0.5
rubyonrails rails 3.0.5
rubyonrails rails 3.0.6
rubyonrails rails 3.0.6
rubyonrails rails 3.0.6
rubyonrails rails 3.0.7
rubyonrails rails 3.0.7
rubyonrails rails 3.0.7
rubyonrails rails 3.0.8
rubyonrails rails 3.0.8
rubyonrails rails 3.0.8
rubyonrails rails 3.0.8
rubyonrails rails 3.0.8
rubyonrails rails 3.0.9
rubyonrails rails 3.0.9
rubyonrails rails 3.0.9
rubyonrails rails 3.0.9
rubyonrails rails 3.0.9
rubyonrails rails 3.0.9
rubyonrails rails 3.0.10
rubyonrails rails 3.0.10
rubyonrails rails 3.0.11
rubyonrails rails 3.0.12
rubyonrails rails 3.0.12
rubyonrails rails 3.0.13
rubyonrails rails 3.0.13
rubyonrails rails 3.0.14
rubyonrails rails 3.0.16
rubyonrails rails 3.0.17
rubyonrails rails 3.0.18
rubyonrails rails 3.0.19
rubyonrails rails 3.0.20
rubyonrails rails 3.1.0
rubyonrails rails 3.1.0
rubyonrails rails 3.1.0
rubyonrails rails 3.1.0
rubyonrails rails 3.1.0
rubyonrails rails 3.1.0
rubyonrails rails 3.1.0
rubyonrails rails 3.1.0
rubyonrails rails 3.1.0
rubyonrails rails 3.1.0
rubyonrails rails 3.1.1
rubyonrails rails 3.1.1
rubyonrails rails 3.1.1
rubyonrails rails 3.1.1
rubyonrails rails 3.1.2
rubyonrails rails 3.1.2
rubyonrails rails 3.1.2
rubyonrails rails 3.1.3
rubyonrails rails 3.1.4
rubyonrails rails 3.1.4
rubyonrails rails 3.1.5
rubyonrails rails 3.1.5
rubyonrails rails 3.1.6
rubyonrails rails 3.1.7
rubyonrails rails 3.1.8
rubyonrails rails 3.1.9
rubyonrails rails 3.1.10
rubyonrails rails 3.1.12
rubyonrails rails 3.2.0
rubyonrails rails 3.2.0
rubyonrails rails 3.2.0
rubyonrails rails 3.2.1
rubyonrails rails 3.2.2
rubyonrails rails 3.2.2
rubyonrails rails 3.2.3
rubyonrails rails 3.2.3
rubyonrails rails 3.2.3
rubyonrails rails 3.2.4
rubyonrails rails 3.2.4
rubyonrails rails 3.2.5
rubyonrails rails 3.2.6
rubyonrails rails 3.2.7
rubyonrails rails 3.2.7
rubyonrails rails 3.2.8
rubyonrails rails 3.2.8
rubyonrails rails 3.2.8
rubyonrails rails 3.2.9
rubyonrails rails 3.2.9
rubyonrails rails 3.2.9
rubyonrails rails 3.2.9
rubyonrails rails 3.2.10
rubyonrails rails 3.2.11
rubyonrails rails 3.2.12
rubyonrails rails 3.2.13
rubyonrails rails 3.2.13
rubyonrails rails 3.2.13
rubyonrails rails 3.2.15
rubyonrails rails 3.2.15
rubyonrails rails 3.2.16
rubyonrails rails 3.2.17
rubyonrails rails 3.2.18
rubyonrails rails 3.2.21
rubyonrails rails 3.2.22.2
rubyonrails rails 4.0.0
rubyonrails rails 4.0.0
rubyonrails rails 4.0.0
rubyonrails rails 4.0.0
rubyonrails rails 4.0.1
rubyonrails rails 4.0.1
rubyonrails rails 4.0.1
rubyonrails rails 4.0.1
rubyonrails rails 4.0.1
rubyonrails rails 4.0.2
rubyonrails rails 4.0.3
rubyonrails rails 4.0.4
rubyonrails rails 4.0.4
rubyonrails rails 4.0.5
rubyonrails rails 4.0.6
rubyonrails rails 4.0.6
rubyonrails rails 4.0.6
rubyonrails rails 4.0.6
rubyonrails rails 4.0.7
rubyonrails rails 4.0.8
rubyonrails rails 4.0.9
rubyonrails rails 4.0.10
rubyonrails rails 4.0.10
rubyonrails rails 4.1.0
rubyonrails rails 4.1.0
rubyonrails rails 4.1.0
rubyonrails rails 4.1.0
rubyonrails rails 4.1.0
rubyonrails rails 4.1.1
rubyonrails rails 4.1.2
rubyonrails rails 4.1.2
rubyonrails rails 4.1.2
rubyonrails rails 4.1.2
rubyonrails rails 4.1.3
rubyonrails rails 4.1.4
rubyonrails rails 4.1.5
rubyonrails rails 4.1.6
rubyonrails rails 4.1.6
rubyonrails rails 4.1.6
rubyonrails rails 4.1.7
rubyonrails rails 4.1.7.1
rubyonrails rails 4.1.8
rubyonrails rails 4.1.9
rubyonrails rails 4.1.9
rubyonrails rails 4.1.10
rubyonrails rails 4.1.10
rubyonrails rails 4.1.10
rubyonrails rails 4.1.10
rubyonrails rails 4.1.10
rubyonrails rails 4.1.12
rubyonrails rails 4.1.12
rubyonrails rails 4.1.13
rubyonrails rails 4.1.13
rubyonrails rails 4.1.14
rubyonrails rails 4.1.14
rubyonrails rails 4.1.14
rubyonrails rails 4.1.14.2
rubyonrails rails 4.1.15
rubyonrails rails 4.1.15
rubyonrails rails 4.1.16
rubyonrails rails 4.1.16
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.1
rubyonrails rails 4.2.1
rubyonrails rails 4.2.1
rubyonrails rails 4.2.1
rubyonrails rails 4.2.1
rubyonrails rails 4.2.2
rubyonrails rails 4.2.3
rubyonrails rails 4.2.3
rubyonrails rails 4.2.4
rubyonrails rails 4.2.4
rubyonrails rails 4.2.5
rubyonrails rails 4.2.5
rubyonrails rails 4.2.5
rubyonrails rails 4.2.5.1
rubyonrails rails 4.2.5.2
rubyonrails rails 4.2.6
rubyonrails rails 4.2.6
rubyonrails rails 4.2.7
rubyonrails rails 4.2.7
rubyonrails rails 5.0.0
rubyonrails rails 5.0.0
rubyonrails rails 5.0.0
rubyonrails rails 5.0.0
rubyonrails rails 5.0.0
rubyonrails rails 5.0.0
rubyonrails rails 5.0.0
rubyonrails ruby_on_rails 3.0.4
rubyonrails ruby_on_rails 3.2.14
rubyonrails ruby_on_rails 3.2.14
rubyonrails ruby_on_rails 3.2.14
rubyonrails ruby_on_rails 3.2.15
rubyonrails ruby_on_rails 3.2.15
rubyonrails ruby_on_rails 3.2.19
rubyonrails ruby_on_rails 3.2.20
rubyonrails ruby_on_rails 3.2.22
rubyonrails ruby_on_rails 3.2.22.1
rubyonrails ruby_on_rails 4.0.10
rubyonrails ruby_on_rails 4.0.11
rubyonrails ruby_on_rails 4.0.11.1
rubyonrails ruby_on_rails 4.0.12
rubyonrails ruby_on_rails 4.0.13
rubyonrails ruby_on_rails 4.0.13
rubyonrails ruby_on_rails 4.1.11
rubyonrails ruby_on_rails 4.1.14.1
rubyonrails ruby_on_rails 5.0.0
rubyonrails ruby_on_rails 5.0.0
debian debian_linux 8.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
              "matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
              "matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
              "matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
              "matchCriteriaId": "58304E17-ADFD-4686-9CCF-C1CA31843B94",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
              "matchCriteriaId": "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*",
              "matchCriteriaId": "0C448F62-8231-4221-ADA0-C9B848AE03D1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*",
              "matchCriteriaId": "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*",
              "matchCriteriaId": "60255706-C44A-48CB-B98B-A1F0991CBC74",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*",
              "matchCriteriaId": "0456E2E8-EF06-414E-8A7D-8005F0EB46B7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*",
              "matchCriteriaId": "D9EE4763-2495-4B6A-B72F-344967E51C27",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
              "matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
              "matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
              "matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "09C20971-53B5-43B0-AC45-5AA0FDF1B054",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "496902D6-409A-40D9-849F-C41264BE5B04",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "2482AB3F-8303-4F95-BE04-C5F06EEF2015",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "244C6952-377C-4AF0-8BA2-C34516A3EB5A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "98A79CC5-71EC-4E90-9E99-2DF62ABC0122",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "6562F3C3-D794-4107-95D4-1C0B0486940B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "11F211A0-AC69-482A-B659-AEE7BE4E4CD6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "F365C9E5-27DC-46C3-AFE4-4876EC7B352B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "6F0016A6-0ED6-443D-B969-CB1226D8E28C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.7:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "42232305-7D62-4692-81CC-B7E9CE642372",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "E69470EA-5EBC-4FB9-A722-5B61C70C1140",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.8:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "DD2818D7-5006-4486-AE55-47B63C8F114B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.8:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "83EF40E0-1C62-415A-892B-C071B109D924",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "B13A8EBB-4211-4AB1-8872-244EEEE20ABD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.9:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "22D707A0-7CA9-4CED-8DBA-1B50B57EDB2B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.9:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "0C3CADF8-3316-4514-9A70-AD3DF16B19E1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.9:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "D0D4AF31-A47B-4BE3-A99B-9A0EB7C53D20",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "C9AB2152-DED8-4CFD-B915-94A9F56FDD05",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "C630AB60-DBAF-421E-B663-492BAE8A180F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "0F41CCF8-14EB-4327-A675-83BFDBB53196",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:*:*:*:*:*:*:*",
              "matchCriteriaId": "75842F7D-B1B1-48BA-858F-01148867B3AA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "FE65D701-AA6E-48E4-B62B-C22DEE863503",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "17B1E475-C873-4561-9348-027721C08D79",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.15:*:*:*:*:*:*:*",
              "matchCriteriaId": "C0406FF0-30F5-40E2-B9B8-FE465D923DE4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.15:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "6646610D-279B-4AEC-B445-981E7784EE5B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.16:*:*:*:*:*:*:*",
              "matchCriteriaId": "50F51980-EAD9-4E4D-A2E7-1FACFA80AAB0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.17:*:*:*:*:*:*:*",
              "matchCriteriaId": "CC02A7D1-CB1A-4793-86E3-CF88D0BCDF83",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.18:*:*:*:*:*:*:*",
              "matchCriteriaId": "A499584B-6E2E-42F3-B0CE-DA7BDD732897",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.21:*:*:*:*:*:*:*",
              "matchCriteriaId": "AE982FFD-D30F-4872-9C36-74DE50405B18",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.22.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "EA770BE3-DD37-45C9-9E6D-8D3407D1A5D1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
              "matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*",
              "matchCriteriaId": "254884EE-EBA4-45D0-9704-B5CB22569668",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "5C913A56-959D-44F1-BD89-D246C66D1F09",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "5D5BA926-38EE-47BE-9D16-FDCF360A503B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "18EA25F1-279A-4F1A-883D-C064369F592E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "FD794856-6F30-4ABF-8AE4-720BB75E6F89",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "C583ACDE-55D5-4D2F-838F-BEC5BDCDE3B7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "767C481D-6616-4CA9-9A9B-C994D9121796",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "CA46B621-125E-497F-B2DE-91C989B25936",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B3239443-2E19-4540-BA0C-05A27E44CB6C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "104AC9CF-6611-4469-9852-7FDAF4EC7638",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC9E1864-B1E5-42C3-B4AF-9A002916B66D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "31AC91AA-6A9A-43B4-B3E9-A66A34B6E612",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "A462C151-982E-4A83-A376-025015F40645",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "660C2AD2-CEC8-4391-84AF-27515A88B29E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "578CC013-776B-4868-B448-B7ACAF3AF832",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "C310EA3E-399A-48FD-8DE9-6950E328CF23",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "293B2998-5169-4960-BEC4-21DAC837E32B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "FB42A8E7-D273-4CE2-9182-D831D8089BFA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "DB757DFD-BF47-4483-A2C0-DF37F7D10989",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B6C375F2-5027-4B55-9112-C5DD2F787E43",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "EAB8D57F-9849-428C-B8E9-D0A1020728BB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "B0359DA8-6B41-46C5-AA95-41B1B366DD4A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "0965BDB6-9644-465C-AA32-9278B2D53197",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "7F6B15CF-37C1-4C9B-8457-4A8C9A480188",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "072EB16D-1325-4869-B156-65E786A834C7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "847B3C3D-8656-404D-A954-09C159EDC8E2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "65CA2D50-B33C-4088-BDDF-EB964C9A092C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "CADB5989-5260-4F60-ACF2-BEB6D7F97654",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "9036E3C7-0AD5-489D-BCEE-31DFE13F5ADA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "509597D0-22E1-4BE8-95AD-C54FE4D15FA4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B86E26CB-2376-4EBC-913C-B354E2D6711B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "539C550D-FEDD-415E-95AE-40E1AE2BAF1A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "D5150753-E86D-4859-A046-97B83EAE2C14",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "59C5B869-74FC-4051-A103-A721332B3CF2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "7C31EBD2-CD2D-4D38-AA51-A5A56487939A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "F11E9791-7BCE-43E5-A4BA-6449623FE4F9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "33FBD4E4-0BCD-49E1-BA84-86621B7C4556",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "CE521626-2876-455C-9D99-DB74726DC724",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "2DFDD32E-F49E-47F7-B033-B6C3C0E07FC4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "DCBA26F1-FBBA-444D-9C14-F15AB14A4FC5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "16D3B0EA-49F7-401A-A1D9-437429D33EAD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "83D1EB17-EE67-48E5-B637-AA9A75D397F6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "17EBD8B4-C4D3-44A6-9DC1-89D948F126A1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.13:*:*:*:*:*:*:*",
              "matchCriteriaId": "A2B1711A-5541-412C-A5A0-274CEAB9E387",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "FCB08CD7-E9B9-454F-BAF7-96162D177677",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:*:*:*:*:*:*:*",
              "matchCriteriaId": "C3AF00C3-93D9-4284-BCB9-40E42CB8386E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "0D3DA0B4-E374-4ED4-8C3B-F723C968666F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B1730A9A-6810-4470-AE6C-A5356D5BFF43",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "AE4B688E-8638-4539-961D-4FDCBEB4B1C5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.15:*:*:*:*:*:*:*",
              "matchCriteriaId": "5D0346BB-9180-4FE5-AA35-DC466675ED5D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.15:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "2D6DD9BF-F174-4BE3-9910-BDE3658DC36E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.16:*:*:*:*:*:*:*",
              "matchCriteriaId": "40B79E40-75CB-4EBB-8A4B-AF41AED2AE1E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.16:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "89B4DCF6-1A21-4B91-ACB4-7DE05487C497",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9A68D41F-36A9-4B77-814D-996F4E48FA79",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "709A19A5-8FD1-4F9C-A38C-F06242A94D68",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "8104482C-E8F5-40A7-8B27-234FEF725FD0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "2CFF8677-EA00-4F7E-BFF9-272482206DB5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*",
              "matchCriteriaId": "8D7DF5CD-DA28-492D-B5EE-D252ECCC8D96",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "85435026-9855-4BF4-A436-832628B005FD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "56C2308F-A590-47B0-9791-7865D189196F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "9A266882-DABA-4A4C-88E6-60E993EE0947",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "83F1142C-3BFB-4B72-A033-81E20DB19D02",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "1FA738A1-227B-4665-B65E-666883FFAE96",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "6F00718C-A9E8-4E85-8DA6-33BF11F2DCCE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "10789A2D-6401-4119-BFBE-2EE4C16216D3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "70ABD462-7142-4831-8EB6-801EC1D05573",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "81D717DB-7C80-48AA-A774-E291D2E75D6E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "06B357FB-0307-4EFA-9C5B-3C2CDEA48584",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "E4BD8840-0F1C-49D3-B843-9CFE64948018",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "79D5B492-43F9-470F-BD21-6EFD93E78453",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "4EC1F602-D48C-458A-A063-4050BE3BB25F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "F6A1C015-56AD-489C-B301-68CF1DBF1BEF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "FD191625-ACE2-46B6-9AAD-12D682C732C2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "02C7DB56-267B-4057-A9BA-36D1E58C6282",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "EC163D49-691B-4125-A983-6CF6F6D86DEE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "68B537D1-1584-4D15-9C75-08ED4D45DC3A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "6A19315C-9A9D-45FE-81C8-074744825B98",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.6:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "1E3B4233-E117-4E77-A60D-3DFD5073154D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "392CF25B-8400-4185-863F-D6353B664FB2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.7:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "3037282A-863A-4C92-A40C-4D436D2621C1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "AF8F94CF-D504-4165-A69E-3F1198CB162A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1.1:*:*:*:*:*:*",
              "matchCriteriaId": "C8C25977-AB6C-45E1-8956-871EB31B36BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "5F0AB6B0-3506-4332-A183-309FAC4882CE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "6D7B4EBC-B634-4AD7-9F7A-54D14821D5AE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta4:*:*:*:*:*:*",
              "matchCriteriaId": "F844FB25-6E27-412F-8394-A7FB15AC1191",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "A4E608ED-F4AB-4F29-B34E-2841A59580A6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "6320DD44-7D7E-4075-A865-BEAFF86FDA9D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:*:*:*:*:*:*:*",
              "matchCriteriaId": "A325F57E-0055-4279-9ED7-A26E75FC38E5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "9A3BA4AE-B4F0-4204-AFA1-1016F0A6F7AB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "991F368C-CEB5-4DE6-A7EE-C341F358A4CE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "01DB164E-E08E-4649-84BD-15B4159A3AA0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "E0F7ECFB-86A1-4F00-AD47-971FA23C6D21",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.19:*:*:*:*:*:*:*",
              "matchCriteriaId": "69702127-AB96-4FE0-9AC4-FBE7B8CA77E5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.20:*:*:*:*:*:*:*",
              "matchCriteriaId": "48D71F7B-CF93-41D4-A824-51CB11F08692",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.22:*:*:*:*:*:*:*",
              "matchCriteriaId": "60CE659B-DF49-477B-8879-C33823F6527F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.22.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "7EF68196-7C9E-40FE-868D-C42FF82D52EE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.10:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "9C8E749B-2908-442A-99F0-91E2772336ED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "9E43D2D7-89AE-4805-9732-F1C601D8D8B8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "5F3D8911-060D-435D-ACA2-E29271170CAA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "EA7A4939-16CF-450D-846A-75B231E32D61",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:*:*:*:*:*:*:*",
              "matchCriteriaId": "C964D4A2-3F39-4CC7-A028-B42C94DDB56F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "3B54D9FE-0A38-4053-9F3C-8831E2DD2BF0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "23FD6D82-9A14-4BD4-AA00-1875F0962ACE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.14.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "91AB2B26-A6F1-44D2-92EB-8078DD6FD63A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:5.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E971CF9D-B807-4A74-81EB-D7CB4E5B8099",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:5.0.0:racecar1:*:*:*:*:*:*",
              "matchCriteriaId": "0B31291C-CBB5-4E51-B0AC-4144E8BAD65B",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as \"HTML safe\" and used as attribute values in tag handlers."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad de XSS en Action View en Ruby en Rails 3.x en versiones anteriores a 3.2.22.3, 4.x en versiones anteriores a 4.2.7.1 y 5.x en versiones anteriores a 5.0.0.1 podr\u00eda permitir a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de texto declarado como \"HTML safe\" y utilizado como valores de atributos en los manejadores de etiquetas."
    }
  ],
  "id": "CVE-2016-6316",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2016-09-07T19:28:10.067",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-1855.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-1856.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-1857.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-1858.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.debian.org/security/2016/dsa-3651"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2016/08/11/3"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securityfocus.com/bid/92430"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://groups.google.com/forum/#%21topic/ruby-security-ann/8B2iV2tPRSE"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://puppet.com/security/cve/cve-2016-6316"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-1855.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-1856.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-1857.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-1858.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.debian.org/security/2016/dsa-3651"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2016/08/11/3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/92430"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://groups.google.com/forum/#%21topic/ruby-security-ann/8B2iV2tPRSE"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://puppet.com/security/cve/cve-2016-6316"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

FKIE_CVE-2016-2098

Vulnerability from fkie_nvd - Published: 2016-04-07 23:59 - Updated: 2025-04-12 10:46
Severity ?
7.3 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Summary
Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.
References
secalert@redhat.comhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html
secalert@redhat.comhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html
secalert@redhat.comhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html
secalert@redhat.comhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html
secalert@redhat.comhttp://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html
secalert@redhat.comhttp://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
secalert@redhat.comhttp://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/Patch, Vendor Advisory
secalert@redhat.comhttp://www.debian.org/security/2016/dsa-3509
secalert@redhat.comhttp://www.securityfocus.com/bid/83725
secalert@redhat.comhttp://www.securitytracker.com/id/1035122
secalert@redhat.comhttps://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ
secalert@redhat.comhttps://www.exploit-db.com/exploits/40086/
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
af854a3a-2127-422b-91ae-364da2661108http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.debian.org/security/2016/dsa-3509
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/83725
af854a3a-2127-422b-91ae-364da2661108http://www.securitytracker.com/id/1035122
af854a3a-2127-422b-91ae-364da2661108https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ
af854a3a-2127-422b-91ae-364da2661108https://www.exploit-db.com/exploits/40086/
Impacted products
Vendor Product Version
debian debian_linux 8.0
rubyonrails rails 4.0.0
rubyonrails rails 4.0.0
rubyonrails rails 4.0.0
rubyonrails rails 4.0.0
rubyonrails rails 4.0.1
rubyonrails rails 4.0.1
rubyonrails rails 4.0.1
rubyonrails rails 4.0.1
rubyonrails rails 4.0.1
rubyonrails rails 4.0.2
rubyonrails rails 4.0.3
rubyonrails rails 4.0.4
rubyonrails rails 4.0.4
rubyonrails rails 4.0.5
rubyonrails rails 4.0.6
rubyonrails rails 4.0.6
rubyonrails rails 4.0.6
rubyonrails rails 4.0.6
rubyonrails rails 4.0.7
rubyonrails rails 4.0.8
rubyonrails rails 4.0.9
rubyonrails rails 4.0.10
rubyonrails rails 4.1.0
rubyonrails rails 4.1.0
rubyonrails rails 4.1.0
rubyonrails rails 4.1.0
rubyonrails rails 4.1.0
rubyonrails rails 4.1.1
rubyonrails rails 4.1.2
rubyonrails rails 4.1.2
rubyonrails rails 4.1.2
rubyonrails rails 4.1.2
rubyonrails rails 4.1.3
rubyonrails rails 4.1.4
rubyonrails rails 4.1.5
rubyonrails rails 4.1.6
rubyonrails rails 4.1.6
rubyonrails rails 4.1.7
rubyonrails rails 4.1.7.1
rubyonrails rails 4.1.8
rubyonrails rails 4.1.9
rubyonrails rails 4.1.10
rubyonrails rails 4.1.10
rubyonrails rails 4.1.10
rubyonrails rails 4.1.10
rubyonrails rails 4.1.12
rubyonrails rails 4.1.13
rubyonrails rails 4.1.14
rubyonrails rails 4.1.14
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.1
rubyonrails rails 4.2.1
rubyonrails rails 4.2.1
rubyonrails rails 4.2.1
rubyonrails rails 4.2.1
rubyonrails rails 4.2.2
rubyonrails rails 4.2.3
rubyonrails rails 4.2.3
rubyonrails rails 4.2.4
rubyonrails rails 4.2.4
rubyonrails rails 4.2.5
rubyonrails rails 4.2.5
rubyonrails rails 4.2.5
rubyonrails rails 4.2.5.1
rubyonrails ruby_on_rails *
rubyonrails ruby_on_rails 4.1.14.1
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
              "matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*",
              "matchCriteriaId": "254884EE-EBA4-45D0-9704-B5CB22569668",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "5C913A56-959D-44F1-BD89-D246C66D1F09",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "5D5BA926-38EE-47BE-9D16-FDCF360A503B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "18EA25F1-279A-4F1A-883D-C064369F592E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "FD794856-6F30-4ABF-8AE4-720BB75E6F89",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "C583ACDE-55D5-4D2F-838F-BEC5BDCDE3B7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "767C481D-6616-4CA9-9A9B-C994D9121796",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "CA46B621-125E-497F-B2DE-91C989B25936",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B3239443-2E19-4540-BA0C-05A27E44CB6C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "104AC9CF-6611-4469-9852-7FDAF4EC7638",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC9E1864-B1E5-42C3-B4AF-9A002916B66D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "31AC91AA-6A9A-43B4-B3E9-A66A34B6E612",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "A462C151-982E-4A83-A376-025015F40645",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "578CC013-776B-4868-B448-B7ACAF3AF832",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "C310EA3E-399A-48FD-8DE9-6950E328CF23",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "293B2998-5169-4960-BEC4-21DAC837E32B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "FB42A8E7-D273-4CE2-9182-D831D8089BFA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "DB757DFD-BF47-4483-A2C0-DF37F7D10989",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B6C375F2-5027-4B55-9112-C5DD2F787E43",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "EAB8D57F-9849-428C-B8E9-D0A1020728BB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "B0359DA8-6B41-46C5-AA95-41B1B366DD4A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "0965BDB6-9644-465C-AA32-9278B2D53197",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "7F6B15CF-37C1-4C9B-8457-4A8C9A480188",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "072EB16D-1325-4869-B156-65E786A834C7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "847B3C3D-8656-404D-A954-09C159EDC8E2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "65CA2D50-B33C-4088-BDDF-EB964C9A092C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "CADB5989-5260-4F60-ACF2-BEB6D7F97654",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "509597D0-22E1-4BE8-95AD-C54FE4D15FA4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B86E26CB-2376-4EBC-913C-B354E2D6711B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "539C550D-FEDD-415E-95AE-40E1AE2BAF1A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "D5150753-E86D-4859-A046-97B83EAE2C14",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "59C5B869-74FC-4051-A103-A721332B3CF2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "F11E9791-7BCE-43E5-A4BA-6449623FE4F9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "CE521626-2876-455C-9D99-DB74726DC724",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "2DFDD32E-F49E-47F7-B033-B6C3C0E07FC4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "DCBA26F1-FBBA-444D-9C14-F15AB14A4FC5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "16D3B0EA-49F7-401A-A1D9-437429D33EAD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "17EBD8B4-C4D3-44A6-9DC1-89D948F126A1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "FCB08CD7-E9B9-454F-BAF7-96162D177677",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "0D3DA0B4-E374-4ED4-8C3B-F723C968666F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B1730A9A-6810-4470-AE6C-A5356D5BFF43",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "709A19A5-8FD1-4F9C-A38C-F06242A94D68",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "8104482C-E8F5-40A7-8B27-234FEF725FD0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "2CFF8677-EA00-4F7E-BFF9-272482206DB5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*",
              "matchCriteriaId": "8D7DF5CD-DA28-492D-B5EE-D252ECCC8D96",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "85435026-9855-4BF4-A436-832628B005FD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "56C2308F-A590-47B0-9791-7865D189196F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "9A266882-DABA-4A4C-88E6-60E993EE0947",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "83F1142C-3BFB-4B72-A033-81E20DB19D02",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "1FA738A1-227B-4665-B65E-666883FFAE96",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "6F00718C-A9E8-4E85-8DA6-33BF11F2DCCE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "10789A2D-6401-4119-BFBE-2EE4C16216D3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "70ABD462-7142-4831-8EB6-801EC1D05573",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "81D717DB-7C80-48AA-A774-E291D2E75D6E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "06B357FB-0307-4EFA-9C5B-3C2CDEA48584",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "E4BD8840-0F1C-49D3-B843-9CFE64948018",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "79D5B492-43F9-470F-BD21-6EFD93E78453",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "4EC1F602-D48C-458A-A063-4050BE3BB25F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "F6A1C015-56AD-489C-B301-68CF1DBF1BEF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "FD191625-ACE2-46B6-9AAD-12D682C732C2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "02C7DB56-267B-4057-A9BA-36D1E58C6282",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "EC163D49-691B-4125-A983-6CF6F6D86DEE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DBD4FBDC-F05B-4CDD-8928-7122397A7651",
              "versionEndIncluding": "3.2.22.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.14.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "91AB2B26-A6F1-44D2-92EB-8078DD6FD63A",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application\u0027s unrestricted use of the render method."
    },
    {
      "lang": "es",
      "value": "Action Pack en Ruby on Rails en versiones anteriores a 3.2.22.2, 4.x en versiones anteriores a 4.1.14.2 y 4.2.x en versiones anteriores a 4.2.5.2 permite a atacantes remotos ejecutar c\u00f3digo Ruby arbitrario aprovechando el uso no restringido del m\u00e9todo render de una aplicaci\u00f3n."
    }
  ],
  "id": "CVE-2016-2098",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2016-04-07T23:59:06.643",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.debian.org/security/2016/dsa-3509"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securityfocus.com/bid/83725"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securitytracker.com/id/1035122"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://www.exploit-db.com/exploits/40086/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2016/dsa-3509"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/83725"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id/1035122"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.exploit-db.com/exploits/40086/"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

FKIE_CVE-2016-2097

Vulnerability from fkie_nvd - Published: 2016-04-07 23:59 - Updated: 2025-04-12 10:46
Severity ?
5.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752.
References
secalert@redhat.comhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html
secalert@redhat.comhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html
secalert@redhat.comhttp://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html
secalert@redhat.comhttp://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/Patch, Vendor Advisory
secalert@redhat.comhttp://www.debian.org/security/2016/dsa-3509
secalert@redhat.comhttp://www.securityfocus.com/bid/83726
secalert@redhat.comhttp://www.securitytracker.com/id/1035122
secalert@redhat.comhttps://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html
af854a3a-2127-422b-91ae-364da2661108http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.debian.org/security/2016/dsa-3509
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/83726
af854a3a-2127-422b-91ae-364da2661108http://www.securitytracker.com/id/1035122
af854a3a-2127-422b-91ae-364da2661108https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ
Impacted products
Vendor Product Version
rubyonrails rails 4.0.0
rubyonrails rails 4.0.0
rubyonrails rails 4.0.0
rubyonrails rails 4.0.0
rubyonrails rails 4.0.1
rubyonrails rails 4.0.1
rubyonrails rails 4.0.1
rubyonrails rails 4.0.1
rubyonrails rails 4.0.1
rubyonrails rails 4.0.2
rubyonrails rails 4.0.3
rubyonrails rails 4.0.4
rubyonrails rails 4.0.4
rubyonrails rails 4.0.5
rubyonrails rails 4.0.6
rubyonrails rails 4.0.6
rubyonrails rails 4.0.6
rubyonrails rails 4.0.6
rubyonrails rails 4.0.7
rubyonrails rails 4.0.8
rubyonrails rails 4.0.9
rubyonrails rails 4.0.10
rubyonrails rails 4.1.0
rubyonrails rails 4.1.0
rubyonrails rails 4.1.0
rubyonrails rails 4.1.0
rubyonrails rails 4.1.0
rubyonrails rails 4.1.1
rubyonrails rails 4.1.2
rubyonrails rails 4.1.2
rubyonrails rails 4.1.2
rubyonrails rails 4.1.2
rubyonrails rails 4.1.3
rubyonrails rails 4.1.4
rubyonrails rails 4.1.5
rubyonrails rails 4.1.6
rubyonrails rails 4.1.6
rubyonrails rails 4.1.7
rubyonrails rails 4.1.7.1
rubyonrails rails 4.1.8
rubyonrails rails 4.1.9
rubyonrails rails 4.1.10
rubyonrails rails 4.1.10
rubyonrails rails 4.1.10
rubyonrails rails 4.1.10
rubyonrails rails 4.1.12
rubyonrails rails 4.1.13
rubyonrails rails 4.1.14
rubyonrails rails 4.1.14
rubyonrails ruby_on_rails *
rubyonrails ruby_on_rails 4.1.14.1
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
              "matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*",
              "matchCriteriaId": "254884EE-EBA4-45D0-9704-B5CB22569668",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "5C913A56-959D-44F1-BD89-D246C66D1F09",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "5D5BA926-38EE-47BE-9D16-FDCF360A503B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "18EA25F1-279A-4F1A-883D-C064369F592E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "FD794856-6F30-4ABF-8AE4-720BB75E6F89",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "C583ACDE-55D5-4D2F-838F-BEC5BDCDE3B7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "767C481D-6616-4CA9-9A9B-C994D9121796",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "CA46B621-125E-497F-B2DE-91C989B25936",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B3239443-2E19-4540-BA0C-05A27E44CB6C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "104AC9CF-6611-4469-9852-7FDAF4EC7638",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC9E1864-B1E5-42C3-B4AF-9A002916B66D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "31AC91AA-6A9A-43B4-B3E9-A66A34B6E612",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "A462C151-982E-4A83-A376-025015F40645",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "578CC013-776B-4868-B448-B7ACAF3AF832",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "C310EA3E-399A-48FD-8DE9-6950E328CF23",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "293B2998-5169-4960-BEC4-21DAC837E32B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "FB42A8E7-D273-4CE2-9182-D831D8089BFA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "DB757DFD-BF47-4483-A2C0-DF37F7D10989",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B6C375F2-5027-4B55-9112-C5DD2F787E43",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "EAB8D57F-9849-428C-B8E9-D0A1020728BB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "B0359DA8-6B41-46C5-AA95-41B1B366DD4A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "0965BDB6-9644-465C-AA32-9278B2D53197",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "7F6B15CF-37C1-4C9B-8457-4A8C9A480188",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "072EB16D-1325-4869-B156-65E786A834C7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "847B3C3D-8656-404D-A954-09C159EDC8E2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "65CA2D50-B33C-4088-BDDF-EB964C9A092C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "CADB5989-5260-4F60-ACF2-BEB6D7F97654",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "509597D0-22E1-4BE8-95AD-C54FE4D15FA4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B86E26CB-2376-4EBC-913C-B354E2D6711B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "539C550D-FEDD-415E-95AE-40E1AE2BAF1A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "D5150753-E86D-4859-A046-97B83EAE2C14",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "59C5B869-74FC-4051-A103-A721332B3CF2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "F11E9791-7BCE-43E5-A4BA-6449623FE4F9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "CE521626-2876-455C-9D99-DB74726DC724",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "2DFDD32E-F49E-47F7-B033-B6C3C0E07FC4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "DCBA26F1-FBBA-444D-9C14-F15AB14A4FC5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "16D3B0EA-49F7-401A-A1D9-437429D33EAD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "17EBD8B4-C4D3-44A6-9DC1-89D948F126A1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "FCB08CD7-E9B9-454F-BAF7-96162D177677",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "0D3DA0B4-E374-4ED4-8C3B-F723C968666F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B1730A9A-6810-4470-AE6C-A5356D5BFF43",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DBD4FBDC-F05B-4CDD-8928-7122397A7651",
              "versionEndIncluding": "3.2.22.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.14.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "91AB2B26-A6F1-44D2-92EB-8078DD6FD63A",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application\u0027s unrestricted use of the render method and providing a .. (dot dot) in a pathname.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad de salto directorio en Action View en Ruby on Rails en versiones anteriores a 3.2.22.2 y 4.x en versiones anteriores a 4.1.14.2 permite a atacantes remotos leer archivos arbitrarios aprovechando el uso no restringido del m\u00e9todo render de una aplicaci\u00f3n y proporcionando un .. (punto punto) en un nombre de ruta. NOTA: esta vulnerabilidad existe por una soluci\u00f3n incompleta para CVE-2016-0752."
    }
  ],
  "id": "CVE-2016-2097",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2016-04-07T23:59:05.800",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.debian.org/security/2016/dsa-3509"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securityfocus.com/bid/83726"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securitytracker.com/id/1035122"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2016/dsa-3509"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/83726"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id/1035122"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

FKIE_CVE-2016-0751

Vulnerability from fkie_nvd - Published: 2016-02-16 02:59 - Updated: 2025-04-12 10:46
Severity ?
7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header.
References
secalert@redhat.comhttp://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html
secalert@redhat.comhttp://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html
secalert@redhat.comhttp://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
secalert@redhat.comhttp://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html
secalert@redhat.comhttp://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
secalert@redhat.comhttp://rhn.redhat.com/errata/RHSA-2016-0296.html
secalert@redhat.comhttp://www.debian.org/security/2016/dsa-3464
secalert@redhat.comhttp://www.openwall.com/lists/oss-security/2016/01/25/9
secalert@redhat.comhttp://www.securityfocus.com/bid/81800
secalert@redhat.comhttp://www.securitytracker.com/id/1034816
secalert@redhat.comhttps://groups.google.com/forum/message/raw?msg=ruby-security-ann/9oLY_FCzvoc/5CDXbvpYEgAJ
af854a3a-2127-422b-91ae-364da2661108http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html
af854a3a-2127-422b-91ae-364da2661108http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
af854a3a-2127-422b-91ae-364da2661108http://rhn.redhat.com/errata/RHSA-2016-0296.html
af854a3a-2127-422b-91ae-364da2661108http://www.debian.org/security/2016/dsa-3464
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2016/01/25/9
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/81800
af854a3a-2127-422b-91ae-364da2661108http://www.securitytracker.com/id/1034816
af854a3a-2127-422b-91ae-364da2661108https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9oLY_FCzvoc/5CDXbvpYEgAJ
Impacted products
Vendor Product Version
rubyonrails rails 4.0.0
rubyonrails rails 4.0.0
rubyonrails rails 4.0.0
rubyonrails rails 4.0.0
rubyonrails rails 4.0.1
rubyonrails rails 4.0.1
rubyonrails rails 4.0.1
rubyonrails rails 4.0.1
rubyonrails rails 4.0.1
rubyonrails rails 4.0.2
rubyonrails rails 4.0.3
rubyonrails rails 4.0.4
rubyonrails rails 4.0.5
rubyonrails rails 4.0.6
rubyonrails rails 4.0.6
rubyonrails rails 4.0.6
rubyonrails rails 4.0.6
rubyonrails rails 4.0.7
rubyonrails rails 4.0.8
rubyonrails rails 4.0.9
rubyonrails rails 4.0.10
rubyonrails rails 4.0.10
rubyonrails rails 4.1.0
rubyonrails rails 4.1.0
rubyonrails rails 4.1.1
rubyonrails rails 4.1.2
rubyonrails rails 4.1.2
rubyonrails rails 4.1.2
rubyonrails rails 4.1.2
rubyonrails rails 4.1.3
rubyonrails rails 4.1.4
rubyonrails rails 4.1.5
rubyonrails rails 4.1.6
rubyonrails rails 4.1.7
rubyonrails rails 4.1.8
rubyonrails rails 4.1.9
rubyonrails rails 4.1.10
rubyonrails rails 4.1.12
rubyonrails rails 4.1.13
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.1
rubyonrails rails 4.2.1
rubyonrails rails 4.2.1
rubyonrails rails 4.2.1
rubyonrails rails 4.2.1
rubyonrails rails 4.2.2
rubyonrails rails 4.2.3
rubyonrails rails 4.2.3
rubyonrails rails 4.2.4
rubyonrails rails 4.2.4
rubyonrails rails 4.2.5
rubyonrails rails 4.2.5
rubyonrails rails 4.2.5
rubyonrails rails 5.0.0
rubyonrails ruby_on_rails *
rubyonrails ruby_on_rails 4.0.10
rubyonrails ruby_on_rails 4.0.11
rubyonrails ruby_on_rails 4.0.11.1
rubyonrails ruby_on_rails 4.0.12
rubyonrails ruby_on_rails 4.0.13
rubyonrails ruby_on_rails 4.0.13
rubyonrails ruby_on_rails 4.1.11
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
              "matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*",
              "matchCriteriaId": "254884EE-EBA4-45D0-9704-B5CB22569668",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "5C913A56-959D-44F1-BD89-D246C66D1F09",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "5D5BA926-38EE-47BE-9D16-FDCF360A503B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "18EA25F1-279A-4F1A-883D-C064369F592E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "FD794856-6F30-4ABF-8AE4-720BB75E6F89",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "767C481D-6616-4CA9-9A9B-C994D9121796",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "CA46B621-125E-497F-B2DE-91C989B25936",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B3239443-2E19-4540-BA0C-05A27E44CB6C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "104AC9CF-6611-4469-9852-7FDAF4EC7638",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC9E1864-B1E5-42C3-B4AF-9A002916B66D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "31AC91AA-6A9A-43B4-B3E9-A66A34B6E612",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "A462C151-982E-4A83-A376-025015F40645",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "660C2AD2-CEC8-4391-84AF-27515A88B29E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "578CC013-776B-4868-B448-B7ACAF3AF832",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "C310EA3E-399A-48FD-8DE9-6950E328CF23",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "293B2998-5169-4960-BEC4-21DAC837E32B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "EAB8D57F-9849-428C-B8E9-D0A1020728BB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "B0359DA8-6B41-46C5-AA95-41B1B366DD4A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "0965BDB6-9644-465C-AA32-9278B2D53197",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "7F6B15CF-37C1-4C9B-8457-4A8C9A480188",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "072EB16D-1325-4869-B156-65E786A834C7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "847B3C3D-8656-404D-A954-09C159EDC8E2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "65CA2D50-B33C-4088-BDDF-EB964C9A092C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "CADB5989-5260-4F60-ACF2-BEB6D7F97654",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "509597D0-22E1-4BE8-95AD-C54FE4D15FA4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "539C550D-FEDD-415E-95AE-40E1AE2BAF1A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "59C5B869-74FC-4051-A103-A721332B3CF2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "7C31EBD2-CD2D-4D38-AA51-A5A56487939A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "33FBD4E4-0BCD-49E1-BA84-86621B7C4556",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "83D1EB17-EE67-48E5-B637-AA9A75D397F6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.13:*:*:*:*:*:*:*",
              "matchCriteriaId": "A2B1711A-5541-412C-A5A0-274CEAB9E387",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "709A19A5-8FD1-4F9C-A38C-F06242A94D68",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "8104482C-E8F5-40A7-8B27-234FEF725FD0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "2CFF8677-EA00-4F7E-BFF9-272482206DB5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*",
              "matchCriteriaId": "8D7DF5CD-DA28-492D-B5EE-D252ECCC8D96",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "85435026-9855-4BF4-A436-832628B005FD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "56C2308F-A590-47B0-9791-7865D189196F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "9A266882-DABA-4A4C-88E6-60E993EE0947",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "83F1142C-3BFB-4B72-A033-81E20DB19D02",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "1FA738A1-227B-4665-B65E-666883FFAE96",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "6F00718C-A9E8-4E85-8DA6-33BF11F2DCCE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "10789A2D-6401-4119-BFBE-2EE4C16216D3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "70ABD462-7142-4831-8EB6-801EC1D05573",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "81D717DB-7C80-48AA-A774-E291D2E75D6E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "06B357FB-0307-4EFA-9C5B-3C2CDEA48584",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "E4BD8840-0F1C-49D3-B843-9CFE64948018",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "79D5B492-43F9-470F-BD21-6EFD93E78453",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "4EC1F602-D48C-458A-A063-4050BE3BB25F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "F6A1C015-56AD-489C-B301-68CF1DBF1BEF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "FD191625-ACE2-46B6-9AAD-12D682C732C2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "02C7DB56-267B-4057-A9BA-36D1E58C6282",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "AF8F94CF-D504-4165-A69E-3F1198CB162A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4C068362-0D49-4117-BC96-780AA802CE4E",
              "versionEndIncluding": "3.2.22",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.10:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "9C8E749B-2908-442A-99F0-91E2772336ED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "9E43D2D7-89AE-4805-9732-F1C601D8D8B8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "5F3D8911-060D-435D-ACA2-E29271170CAA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "EA7A4939-16CF-450D-846A-75B231E32D61",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:*:*:*:*:*:*:*",
              "matchCriteriaId": "C964D4A2-3F39-4CC7-A028-B42C94DDB56F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "3B54D9FE-0A38-4053-9F3C-8831E2DD2BF0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "23FD6D82-9A14-4BD4-AA00-1875F0962ACE",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header."
    },
    {
      "lang": "es",
      "value": "actionpack/lib/action_dispatch/http/mime_type.rb en Action Pack en Ruby on Rails en versiones anteriores a 3.2.22.1, 4.0.x y 4.1.x en versiones anteriores a 4.1.14.1, 4.2.x en versiones anteriores a 4.2.5.1 y 5.x en versiones anteriores a 5.0.0.beta1.1 no restringe adecuadamente el uso de la cach\u00e9 de tipo MIME, lo que permite a atacantes remotos causar una denegaci\u00f3n de servicio (consumo de memoria) a trav\u00e9s de una cabecera HTTP Accept manipulada."
    }
  ],
  "id": "CVE-2016-0751",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2016-02-16T02:59:05.877",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.debian.org/security/2016/dsa-3464"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.openwall.com/lists/oss-security/2016/01/25/9"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securityfocus.com/bid/81800"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securitytracker.com/id/1034816"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9oLY_FCzvoc/5CDXbvpYEgAJ"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2016/dsa-3464"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2016/01/25/9"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/81800"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id/1034816"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9oLY_FCzvoc/5CDXbvpYEgAJ"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-399"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

FKIE_CVE-2015-7577

Vulnerability from fkie_nvd - Published: 2016-02-16 02:59 - Updated: 2025-04-12 10:46
Severity ?
5.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature.
References
secalert@redhat.comhttp://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html
secalert@redhat.comhttp://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html
secalert@redhat.comhttp://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
secalert@redhat.comhttp://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html
secalert@redhat.comhttp://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
secalert@redhat.comhttp://rhn.redhat.com/errata/RHSA-2016-0296.html
secalert@redhat.comhttp://www.debian.org/security/2016/dsa-3464
secalert@redhat.comhttp://www.openwall.com/lists/oss-security/2016/01/25/10
secalert@redhat.comhttp://www.securityfocus.com/bid/81806
secalert@redhat.comhttp://www.securitytracker.com/id/1034816
secalert@redhat.comhttps://groups.google.com/forum/message/raw?msg=ruby-security-ann/cawsWcQ6c8g/LATIsglZEgAJ
af854a3a-2127-422b-91ae-364da2661108http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html
af854a3a-2127-422b-91ae-364da2661108http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
af854a3a-2127-422b-91ae-364da2661108http://rhn.redhat.com/errata/RHSA-2016-0296.html
af854a3a-2127-422b-91ae-364da2661108http://www.debian.org/security/2016/dsa-3464
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2016/01/25/10
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/81806
af854a3a-2127-422b-91ae-364da2661108http://www.securitytracker.com/id/1034816
af854a3a-2127-422b-91ae-364da2661108https://groups.google.com/forum/message/raw?msg=ruby-security-ann/cawsWcQ6c8g/LATIsglZEgAJ
Impacted products
Vendor Product Version
rubyonrails rails 4.0.0
rubyonrails rails 4.0.0
rubyonrails rails 4.0.0
rubyonrails rails 4.0.0
rubyonrails rails 4.0.1
rubyonrails rails 4.0.1
rubyonrails rails 4.0.1
rubyonrails rails 4.0.1
rubyonrails rails 4.0.1
rubyonrails rails 4.0.2
rubyonrails rails 4.0.3
rubyonrails rails 4.0.4
rubyonrails rails 4.0.4
rubyonrails rails 4.0.5
rubyonrails rails 4.0.6
rubyonrails rails 4.0.6
rubyonrails rails 4.0.6
rubyonrails rails 4.0.6
rubyonrails rails 4.0.7
rubyonrails rails 4.0.8
rubyonrails rails 4.0.9
rubyonrails rails 4.0.10
rubyonrails rails 4.0.10
rubyonrails rails 4.1.0
rubyonrails rails 4.1.0
rubyonrails rails 4.1.0
rubyonrails rails 4.1.0
rubyonrails rails 4.1.0
rubyonrails rails 4.1.1
rubyonrails rails 4.1.2
rubyonrails rails 4.1.2
rubyonrails rails 4.1.2
rubyonrails rails 4.1.2
rubyonrails rails 4.1.3
rubyonrails rails 4.1.4
rubyonrails rails 4.1.5
rubyonrails rails 4.1.6
rubyonrails rails 4.1.6
rubyonrails rails 4.1.6
rubyonrails rails 4.1.7
rubyonrails rails 4.1.7.1
rubyonrails rails 4.1.8
rubyonrails rails 4.1.9
rubyonrails rails 4.1.9
rubyonrails rails 4.1.10
rubyonrails rails 4.1.10
rubyonrails rails 4.1.10
rubyonrails rails 4.1.10
rubyonrails rails 4.1.10
rubyonrails rails 4.1.12
rubyonrails rails 4.1.12
rubyonrails rails 4.1.13
rubyonrails rails 4.1.13
rubyonrails rails 4.1.14
rubyonrails rails 4.1.14
rubyonrails rails 4.1.14
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.1
rubyonrails rails 4.2.1
rubyonrails rails 4.2.1
rubyonrails rails 4.2.1
rubyonrails rails 4.2.1
rubyonrails rails 4.2.2
rubyonrails rails 4.2.3
rubyonrails rails 4.2.3
rubyonrails rails 4.2.4
rubyonrails rails 4.2.4
rubyonrails rails 4.2.5
rubyonrails rails 4.2.5
rubyonrails rails 4.2.5
rubyonrails rails 5.0.0
rubyonrails ruby_on_rails *
rubyonrails ruby_on_rails 4.0.10
rubyonrails ruby_on_rails 4.0.11
rubyonrails ruby_on_rails 4.0.11.1
rubyonrails ruby_on_rails 4.0.12
rubyonrails ruby_on_rails 4.0.13
rubyonrails ruby_on_rails 4.0.13
rubyonrails ruby_on_rails 4.1.11
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
              "matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*",
              "matchCriteriaId": "254884EE-EBA4-45D0-9704-B5CB22569668",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "5C913A56-959D-44F1-BD89-D246C66D1F09",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "5D5BA926-38EE-47BE-9D16-FDCF360A503B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "18EA25F1-279A-4F1A-883D-C064369F592E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "FD794856-6F30-4ABF-8AE4-720BB75E6F89",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "C583ACDE-55D5-4D2F-838F-BEC5BDCDE3B7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "767C481D-6616-4CA9-9A9B-C994D9121796",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "CA46B621-125E-497F-B2DE-91C989B25936",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B3239443-2E19-4540-BA0C-05A27E44CB6C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "104AC9CF-6611-4469-9852-7FDAF4EC7638",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC9E1864-B1E5-42C3-B4AF-9A002916B66D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "31AC91AA-6A9A-43B4-B3E9-A66A34B6E612",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "A462C151-982E-4A83-A376-025015F40645",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "660C2AD2-CEC8-4391-84AF-27515A88B29E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "578CC013-776B-4868-B448-B7ACAF3AF832",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "C310EA3E-399A-48FD-8DE9-6950E328CF23",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "293B2998-5169-4960-BEC4-21DAC837E32B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "FB42A8E7-D273-4CE2-9182-D831D8089BFA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "DB757DFD-BF47-4483-A2C0-DF37F7D10989",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B6C375F2-5027-4B55-9112-C5DD2F787E43",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "EAB8D57F-9849-428C-B8E9-D0A1020728BB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "B0359DA8-6B41-46C5-AA95-41B1B366DD4A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "0965BDB6-9644-465C-AA32-9278B2D53197",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "7F6B15CF-37C1-4C9B-8457-4A8C9A480188",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "072EB16D-1325-4869-B156-65E786A834C7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "847B3C3D-8656-404D-A954-09C159EDC8E2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "65CA2D50-B33C-4088-BDDF-EB964C9A092C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "CADB5989-5260-4F60-ACF2-BEB6D7F97654",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "9036E3C7-0AD5-489D-BCEE-31DFE13F5ADA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "509597D0-22E1-4BE8-95AD-C54FE4D15FA4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B86E26CB-2376-4EBC-913C-B354E2D6711B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "539C550D-FEDD-415E-95AE-40E1AE2BAF1A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "D5150753-E86D-4859-A046-97B83EAE2C14",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "59C5B869-74FC-4051-A103-A721332B3CF2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "7C31EBD2-CD2D-4D38-AA51-A5A56487939A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "F11E9791-7BCE-43E5-A4BA-6449623FE4F9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "33FBD4E4-0BCD-49E1-BA84-86621B7C4556",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "CE521626-2876-455C-9D99-DB74726DC724",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "2DFDD32E-F49E-47F7-B033-B6C3C0E07FC4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "DCBA26F1-FBBA-444D-9C14-F15AB14A4FC5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "16D3B0EA-49F7-401A-A1D9-437429D33EAD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "83D1EB17-EE67-48E5-B637-AA9A75D397F6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "17EBD8B4-C4D3-44A6-9DC1-89D948F126A1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.13:*:*:*:*:*:*:*",
              "matchCriteriaId": "A2B1711A-5541-412C-A5A0-274CEAB9E387",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "FCB08CD7-E9B9-454F-BAF7-96162D177677",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:*:*:*:*:*:*:*",
              "matchCriteriaId": "C3AF00C3-93D9-4284-BCB9-40E42CB8386E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "0D3DA0B4-E374-4ED4-8C3B-F723C968666F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B1730A9A-6810-4470-AE6C-A5356D5BFF43",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9A68D41F-36A9-4B77-814D-996F4E48FA79",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "709A19A5-8FD1-4F9C-A38C-F06242A94D68",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "8104482C-E8F5-40A7-8B27-234FEF725FD0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "2CFF8677-EA00-4F7E-BFF9-272482206DB5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*",
              "matchCriteriaId": "8D7DF5CD-DA28-492D-B5EE-D252ECCC8D96",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "85435026-9855-4BF4-A436-832628B005FD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "56C2308F-A590-47B0-9791-7865D189196F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "9A266882-DABA-4A4C-88E6-60E993EE0947",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "83F1142C-3BFB-4B72-A033-81E20DB19D02",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "1FA738A1-227B-4665-B65E-666883FFAE96",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "6F00718C-A9E8-4E85-8DA6-33BF11F2DCCE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "10789A2D-6401-4119-BFBE-2EE4C16216D3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "70ABD462-7142-4831-8EB6-801EC1D05573",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "81D717DB-7C80-48AA-A774-E291D2E75D6E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "06B357FB-0307-4EFA-9C5B-3C2CDEA48584",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "E4BD8840-0F1C-49D3-B843-9CFE64948018",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "79D5B492-43F9-470F-BD21-6EFD93E78453",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "4EC1F602-D48C-458A-A063-4050BE3BB25F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "F6A1C015-56AD-489C-B301-68CF1DBF1BEF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "FD191625-ACE2-46B6-9AAD-12D682C732C2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "02C7DB56-267B-4057-A9BA-36D1E58C6282",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "AF8F94CF-D504-4165-A69E-3F1198CB162A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4C068362-0D49-4117-BC96-780AA802CE4E",
              "versionEndIncluding": "3.2.22",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.10:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "9C8E749B-2908-442A-99F0-91E2772336ED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "9E43D2D7-89AE-4805-9732-F1C601D8D8B8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "5F3D8911-060D-435D-ACA2-E29271170CAA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "EA7A4939-16CF-450D-846A-75B231E32D61",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:*:*:*:*:*:*:*",
              "matchCriteriaId": "C964D4A2-3F39-4CC7-A028-B42C94DDB56F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "3B54D9FE-0A38-4053-9F3C-8831E2DD2BF0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "23FD6D82-9A14-4BD4-AA00-1875F0962ACE",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature."
    },
    {
      "lang": "es",
      "value": "activerecord/lib/active_record/nested_attributes.rb en Active Record en Ruby on Rails 3.1.x y 3.2.x en versiones anteriores a 3.2.22.1, 4.0.x y 4.1.x en versiones anteriores a 4.1.14.1, 4.2.x en versiones anteriores a 4.2.5.1 y 5.x en versiones anteriores a 5.0.0.beta1.1 no implementa adecuadamente una cierta opci\u00f3n de destruir, lo que permite a atacantes remotos eludir restricciones destinadas al cambio mediante el aprovechamiento del uso de la funcionalidad de atributos anidados."
    }
  ],
  "id": "CVE-2015-7577",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2016-02-16T02:59:01.063",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.debian.org/security/2016/dsa-3464"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.openwall.com/lists/oss-security/2016/01/25/10"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securityfocus.com/bid/81806"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securitytracker.com/id/1034816"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/cawsWcQ6c8g/LATIsglZEgAJ"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2016/dsa-3464"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2016/01/25/10"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/81806"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id/1034816"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/cawsWcQ6c8g/LATIsglZEgAJ"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

FKIE_CVE-2015-7576

Vulnerability from fkie_nvd - Published: 2016-02-16 02:59 - Updated: 2025-04-12 10:46
Severity ?
3.7 (Low) - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.
References
secalert@redhat.comhttp://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html
secalert@redhat.comhttp://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html
secalert@redhat.comhttp://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html
secalert@redhat.comhttp://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html
secalert@redhat.comhttp://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
secalert@redhat.comhttp://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html
secalert@redhat.comhttp://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
secalert@redhat.comhttp://rhn.redhat.com/errata/RHSA-2016-0296.html
secalert@redhat.comhttp://www.debian.org/security/2016/dsa-3464
secalert@redhat.comhttp://www.openwall.com/lists/oss-security/2016/01/25/8
secalert@redhat.comhttp://www.securityfocus.com/bid/81803
secalert@redhat.comhttp://www.securitytracker.com/id/1034816
secalert@redhat.comhttps://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ
af854a3a-2127-422b-91ae-364da2661108http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html
af854a3a-2127-422b-91ae-364da2661108http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html
af854a3a-2127-422b-91ae-364da2661108http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html
af854a3a-2127-422b-91ae-364da2661108http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
af854a3a-2127-422b-91ae-364da2661108http://rhn.redhat.com/errata/RHSA-2016-0296.html
af854a3a-2127-422b-91ae-364da2661108http://www.debian.org/security/2016/dsa-3464
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2016/01/25/8
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/81803
af854a3a-2127-422b-91ae-364da2661108http://www.securitytracker.com/id/1034816
af854a3a-2127-422b-91ae-364da2661108https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ
Impacted products
Vendor Product Version
rubyonrails rails 4.0.0
rubyonrails rails 4.0.0
rubyonrails rails 4.0.0
rubyonrails rails 4.0.0
rubyonrails rails 4.0.1
rubyonrails rails 4.0.1
rubyonrails rails 4.0.1
rubyonrails rails 4.0.1
rubyonrails rails 4.0.1
rubyonrails rails 4.0.2
rubyonrails rails 4.0.3
rubyonrails rails 4.0.4
rubyonrails rails 4.0.4
rubyonrails rails 4.0.5
rubyonrails rails 4.0.6
rubyonrails rails 4.0.6
rubyonrails rails 4.0.6
rubyonrails rails 4.0.6
rubyonrails rails 4.0.7
rubyonrails rails 4.0.8
rubyonrails rails 4.0.9
rubyonrails rails 4.0.10
rubyonrails rails 4.0.10
rubyonrails rails 4.1.0
rubyonrails rails 4.1.0
rubyonrails rails 4.1.0
rubyonrails rails 4.1.0
rubyonrails rails 4.1.0
rubyonrails rails 4.1.1
rubyonrails rails 4.1.2
rubyonrails rails 4.1.2
rubyonrails rails 4.1.2
rubyonrails rails 4.1.2
rubyonrails rails 4.1.3
rubyonrails rails 4.1.4
rubyonrails rails 4.1.5
rubyonrails rails 4.1.6
rubyonrails rails 4.1.6
rubyonrails rails 4.1.6
rubyonrails rails 4.1.7
rubyonrails rails 4.1.7.1
rubyonrails rails 4.1.8
rubyonrails rails 4.1.9
rubyonrails rails 4.1.9
rubyonrails rails 4.1.10
rubyonrails rails 4.1.10
rubyonrails rails 4.1.10
rubyonrails rails 4.1.10
rubyonrails rails 4.1.10
rubyonrails rails 4.1.12
rubyonrails rails 4.1.12
rubyonrails rails 4.1.13
rubyonrails rails 4.1.13
rubyonrails rails 4.1.14
rubyonrails rails 4.1.14
rubyonrails rails 4.1.14
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.1
rubyonrails rails 4.2.1
rubyonrails rails 4.2.1
rubyonrails rails 4.2.1
rubyonrails rails 4.2.1
rubyonrails rails 4.2.2
rubyonrails rails 4.2.3
rubyonrails rails 4.2.3
rubyonrails rails 4.2.4
rubyonrails rails 4.2.4
rubyonrails rails 4.2.5
rubyonrails rails 4.2.5
rubyonrails rails 4.2.5
rubyonrails rails 5.0.0
rubyonrails ruby_on_rails *
rubyonrails ruby_on_rails 4.0.10
rubyonrails ruby_on_rails 4.0.11
rubyonrails ruby_on_rails 4.0.11.1
rubyonrails ruby_on_rails 4.0.12
rubyonrails ruby_on_rails 4.0.13
rubyonrails ruby_on_rails 4.0.13
rubyonrails ruby_on_rails 4.1.11
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
              "matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*",
              "matchCriteriaId": "254884EE-EBA4-45D0-9704-B5CB22569668",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "5C913A56-959D-44F1-BD89-D246C66D1F09",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "5D5BA926-38EE-47BE-9D16-FDCF360A503B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "18EA25F1-279A-4F1A-883D-C064369F592E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "FD794856-6F30-4ABF-8AE4-720BB75E6F89",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "C583ACDE-55D5-4D2F-838F-BEC5BDCDE3B7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "767C481D-6616-4CA9-9A9B-C994D9121796",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "CA46B621-125E-497F-B2DE-91C989B25936",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B3239443-2E19-4540-BA0C-05A27E44CB6C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "104AC9CF-6611-4469-9852-7FDAF4EC7638",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC9E1864-B1E5-42C3-B4AF-9A002916B66D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "31AC91AA-6A9A-43B4-B3E9-A66A34B6E612",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "A462C151-982E-4A83-A376-025015F40645",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "660C2AD2-CEC8-4391-84AF-27515A88B29E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "578CC013-776B-4868-B448-B7ACAF3AF832",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "C310EA3E-399A-48FD-8DE9-6950E328CF23",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "293B2998-5169-4960-BEC4-21DAC837E32B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "FB42A8E7-D273-4CE2-9182-D831D8089BFA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "DB757DFD-BF47-4483-A2C0-DF37F7D10989",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B6C375F2-5027-4B55-9112-C5DD2F787E43",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "EAB8D57F-9849-428C-B8E9-D0A1020728BB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "B0359DA8-6B41-46C5-AA95-41B1B366DD4A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "0965BDB6-9644-465C-AA32-9278B2D53197",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "7F6B15CF-37C1-4C9B-8457-4A8C9A480188",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "072EB16D-1325-4869-B156-65E786A834C7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "847B3C3D-8656-404D-A954-09C159EDC8E2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "65CA2D50-B33C-4088-BDDF-EB964C9A092C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "CADB5989-5260-4F60-ACF2-BEB6D7F97654",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "9036E3C7-0AD5-489D-BCEE-31DFE13F5ADA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "509597D0-22E1-4BE8-95AD-C54FE4D15FA4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B86E26CB-2376-4EBC-913C-B354E2D6711B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "539C550D-FEDD-415E-95AE-40E1AE2BAF1A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "D5150753-E86D-4859-A046-97B83EAE2C14",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "59C5B869-74FC-4051-A103-A721332B3CF2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "7C31EBD2-CD2D-4D38-AA51-A5A56487939A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "F11E9791-7BCE-43E5-A4BA-6449623FE4F9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "33FBD4E4-0BCD-49E1-BA84-86621B7C4556",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "CE521626-2876-455C-9D99-DB74726DC724",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "2DFDD32E-F49E-47F7-B033-B6C3C0E07FC4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "DCBA26F1-FBBA-444D-9C14-F15AB14A4FC5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "16D3B0EA-49F7-401A-A1D9-437429D33EAD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "83D1EB17-EE67-48E5-B637-AA9A75D397F6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "17EBD8B4-C4D3-44A6-9DC1-89D948F126A1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.13:*:*:*:*:*:*:*",
              "matchCriteriaId": "A2B1711A-5541-412C-A5A0-274CEAB9E387",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "FCB08CD7-E9B9-454F-BAF7-96162D177677",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:*:*:*:*:*:*:*",
              "matchCriteriaId": "C3AF00C3-93D9-4284-BCB9-40E42CB8386E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "0D3DA0B4-E374-4ED4-8C3B-F723C968666F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B1730A9A-6810-4470-AE6C-A5356D5BFF43",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9A68D41F-36A9-4B77-814D-996F4E48FA79",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "709A19A5-8FD1-4F9C-A38C-F06242A94D68",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "8104482C-E8F5-40A7-8B27-234FEF725FD0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "2CFF8677-EA00-4F7E-BFF9-272482206DB5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*",
              "matchCriteriaId": "8D7DF5CD-DA28-492D-B5EE-D252ECCC8D96",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "85435026-9855-4BF4-A436-832628B005FD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "56C2308F-A590-47B0-9791-7865D189196F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "9A266882-DABA-4A4C-88E6-60E993EE0947",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "83F1142C-3BFB-4B72-A033-81E20DB19D02",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "1FA738A1-227B-4665-B65E-666883FFAE96",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "6F00718C-A9E8-4E85-8DA6-33BF11F2DCCE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "10789A2D-6401-4119-BFBE-2EE4C16216D3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "70ABD462-7142-4831-8EB6-801EC1D05573",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "81D717DB-7C80-48AA-A774-E291D2E75D6E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "06B357FB-0307-4EFA-9C5B-3C2CDEA48584",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "E4BD8840-0F1C-49D3-B843-9CFE64948018",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "79D5B492-43F9-470F-BD21-6EFD93E78453",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "4EC1F602-D48C-458A-A063-4050BE3BB25F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "F6A1C015-56AD-489C-B301-68CF1DBF1BEF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "FD191625-ACE2-46B6-9AAD-12D682C732C2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "02C7DB56-267B-4057-A9BA-36D1E58C6282",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "AF8F94CF-D504-4165-A69E-3F1198CB162A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4C068362-0D49-4117-BC96-780AA802CE4E",
              "versionEndIncluding": "3.2.22",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.10:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "9C8E749B-2908-442A-99F0-91E2772336ED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "9E43D2D7-89AE-4805-9732-F1C601D8D8B8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "5F3D8911-060D-435D-ACA2-E29271170CAA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "EA7A4939-16CF-450D-846A-75B231E32D61",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:*:*:*:*:*:*:*",
              "matchCriteriaId": "C964D4A2-3F39-4CC7-A028-B42C94DDB56F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "3B54D9FE-0A38-4053-9F3C-8831E2DD2BF0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "23FD6D82-9A14-4BD4-AA00-1875F0962ACE",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences."
    },
    {
      "lang": "es",
      "value": "El m\u00e9todo http_basic_authenticate_with en actionpack/lib/action_controller/metal/http_authentication.rb en la implementaci\u00f3n Basic Authentication en Action Controller en Ruby on Rails en versiones anteriores a 3.2.22.1, 4.0.x y 4.1.x en versiones anteriores a 4.1.14.1, 4.2.x en versiones anteriores a 4.2.5.1 y 5.x en versiones anteriores a 5.0.0.beta1.1 no usa el algoritmo de tiempo constante para verificar credenciales, lo que hace que sea m\u00e1s f\u00e1cil para atacantes remotos eludir la autenticaci\u00f3n mediante la medici\u00f3n de las diferencias de temporizaci\u00f3n."
    }
  ],
  "id": "CVE-2015-7576",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 3.7,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2016-02-16T02:59:00.110",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.debian.org/security/2016/dsa-3464"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.openwall.com/lists/oss-security/2016/01/25/8"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securityfocus.com/bid/81803"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securitytracker.com/id/1034816"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2016/dsa-3464"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2016/01/25/8"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/81803"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id/1034816"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-254"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

FKIE_CVE-2015-3226

Vulnerability from fkie_nvd - Published: 2015-07-26 22:59 - Updated: 2025-04-12 10:46
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding.
References
secalert@redhat.comhttp://openwall.com/lists/oss-security/2015/06/16/17
secalert@redhat.comhttp://www.debian.org/security/2016/dsa-3464
secalert@redhat.comhttp://www.securityfocus.com/bid/75231
secalert@redhat.comhttp://www.securitytracker.com/id/1033755
secalert@redhat.comhttps://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://openwall.com/lists/oss-security/2015/06/16/17
af854a3a-2127-422b-91ae-364da2661108http://www.debian.org/security/2016/dsa-3464
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/75231
af854a3a-2127-422b-91ae-364da2661108http://www.securitytracker.com/id/1033755
af854a3a-2127-422b-91ae-364da2661108https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJVendor Advisory
Impacted products
Vendor Product Version
rubyonrails rails 3.0.0
rubyonrails rails 3.1.0
rubyonrails rails 3.2.0
rubyonrails rails 3.2.1
rubyonrails rails 3.2.2
rubyonrails rails 3.2.3
rubyonrails rails 3.2.4
rubyonrails rails 3.2.5
rubyonrails rails 3.2.6
rubyonrails rails 3.2.7
rubyonrails rails 3.2.8
rubyonrails rails 3.2.9
rubyonrails rails 3.2.10
rubyonrails rails 3.2.11
rubyonrails rails 3.2.12
rubyonrails rails 3.2.13
rubyonrails rails 3.2.15
rubyonrails rails 3.2.16
rubyonrails rails 3.2.17
rubyonrails rails 4.1.0
rubyonrails rails 4.1.1
rubyonrails rails 4.1.2
rubyonrails rails 4.1.3
rubyonrails rails 4.1.4
rubyonrails rails 4.1.5
rubyonrails rails 4.1.6
rubyonrails rails 4.1.7
rubyonrails rails 4.1.8
rubyonrails rails 4.2.0
rubyonrails rails 4.2.1
rubyonrails ruby_on_rails 3.2.14
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "F365C9E5-27DC-46C3-AFE4-4876EC7B352B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "6F0016A6-0ED6-443D-B969-CB1226D8E28C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "E69470EA-5EBC-4FB9-A722-5B61C70C1140",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "B13A8EBB-4211-4AB1-8872-244EEEE20ABD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "C9AB2152-DED8-4CFD-B915-94A9F56FDD05",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "C630AB60-DBAF-421E-B663-492BAE8A180F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "0F41CCF8-14EB-4327-A675-83BFDBB53196",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:*:*:*:*:*:*:*",
              "matchCriteriaId": "75842F7D-B1B1-48BA-858F-01148867B3AA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.15:*:*:*:*:*:*:*",
              "matchCriteriaId": "C0406FF0-30F5-40E2-B9B8-FE465D923DE4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.16:*:*:*:*:*:*:*",
              "matchCriteriaId": "50F51980-EAD9-4E4D-A2E7-1FACFA80AAB0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.17:*:*:*:*:*:*:*",
              "matchCriteriaId": "CC02A7D1-CB1A-4793-86E3-CF88D0BCDF83",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0B7A927B-7E18-44B5-9307-E602790F8AB7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "EAB8D57F-9849-428C-B8E9-D0A1020728BB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "B0359DA8-6B41-46C5-AA95-41B1B366DD4A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "847B3C3D-8656-404D-A954-09C159EDC8E2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "65CA2D50-B33C-4088-BDDF-EB964C9A092C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "CADB5989-5260-4F60-ACF2-BEB6D7F97654",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "9036E3C7-0AD5-489D-BCEE-31DFE13F5ADA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "539C550D-FEDD-415E-95AE-40E1AE2BAF1A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "59C5B869-74FC-4051-A103-A721332B3CF2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9A68D41F-36A9-4B77-814D-996F4E48FA79",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "83F1142C-3BFB-4B72-A033-81E20DB19D02",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:*:*:*:*:*:*:*",
              "matchCriteriaId": "A325F57E-0055-4279-9ED7-A26E75FC38E5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad XSS en json/encoding.rb en Active Support en Ruby on Rails en las versiones 3.x, 4.1.x anterior a 4.1.11 y 4.2 anterior a 4.2.2, permite a atacantes remotos inyectar c\u00f3digo arbitrario HTML o web script a trav\u00e9s de un Hash manipulado que no es manejado correctamente durante la codificaci\u00f3n JSON."
    }
  ],
  "id": "CVE-2015-3226",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2015-07-26T22:59:05.133",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "http://openwall.com/lists/oss-security/2015/06/16/17"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.debian.org/security/2016/dsa-3464"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securityfocus.com/bid/75231"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securitytracker.com/id/1033755"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://openwall.com/lists/oss-security/2015/06/16/17"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2016/dsa-3464"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/75231"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id/1033755"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

FKIE_CVE-2014-7829

Vulnerability from fkie_nvd - Published: 2014-11-18 23:59 - Updated: 2025-04-12 10:46
Severity ?
Summary
Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a \ (backslash) character, a similar issue to CVE-2014-7818.
References
secalert@redhat.comhttp://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html
secalert@redhat.comhttp://www.securityfocus.com/bid/71183
secalert@redhat.comhttps://groups.google.com/forum/message/raw?msg=rubyonrails-security/rMTQy4oRCGk/loS_CRS8mNEJExploit
secalert@redhat.comhttps://puppet.com/security/cve/cve-2014-7829
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/71183
af854a3a-2127-422b-91ae-364da2661108https://groups.google.com/forum/message/raw?msg=rubyonrails-security/rMTQy4oRCGk/loS_CRS8mNEJExploit
af854a3a-2127-422b-91ae-364da2661108https://puppet.com/security/cve/cve-2014-7829
Impacted products
Vendor Product Version
opensuse opensuse 12.3
opensuse opensuse 13.1
opensuse opensuse 13.2
rubyonrails rails 3.0.0
rubyonrails rails 3.0.0
rubyonrails rails 3.0.0
rubyonrails rails 3.0.0
rubyonrails rails 3.0.0
rubyonrails rails 3.0.0
rubyonrails rails 3.0.0
rubyonrails rails 3.0.1
rubyonrails rails 3.0.1
rubyonrails rails 3.0.2
rubyonrails rails 3.0.2
rubyonrails rails 3.0.3
rubyonrails rails 3.0.4
rubyonrails rails 3.0.5
rubyonrails rails 3.0.5
rubyonrails rails 3.0.6
rubyonrails rails 3.0.6
rubyonrails rails 3.0.6
rubyonrails rails 3.0.7
rubyonrails rails 3.0.7
rubyonrails rails 3.0.7
rubyonrails rails 3.0.8
rubyonrails rails 3.0.8
rubyonrails rails 3.0.8
rubyonrails rails 3.0.8
rubyonrails rails 3.0.8
rubyonrails rails 3.0.9
rubyonrails rails 3.0.9
rubyonrails rails 3.0.9
rubyonrails rails 3.0.9
rubyonrails rails 3.0.9
rubyonrails rails 3.0.9
rubyonrails rails 3.0.10
rubyonrails rails 3.0.10
rubyonrails rails 3.0.11
rubyonrails rails 3.0.12
rubyonrails rails 3.0.12
rubyonrails rails 3.0.13
rubyonrails rails 3.0.13
rubyonrails rails 3.0.14
rubyonrails rails 3.0.16
rubyonrails rails 3.0.17
rubyonrails rails 3.0.18
rubyonrails rails 3.0.19
rubyonrails rails 3.0.20
rubyonrails rails 3.1.0
rubyonrails rails 3.1.0
rubyonrails rails 3.1.0
rubyonrails rails 3.1.0
rubyonrails rails 3.1.0
rubyonrails rails 3.1.0
rubyonrails rails 3.1.0
rubyonrails rails 3.1.0
rubyonrails rails 3.1.0
rubyonrails rails 3.1.0
rubyonrails rails 3.1.1
rubyonrails rails 3.1.1
rubyonrails rails 3.1.1
rubyonrails rails 3.1.1
rubyonrails rails 3.1.2
rubyonrails rails 3.1.2
rubyonrails rails 3.1.2
rubyonrails rails 3.1.3
rubyonrails rails 3.1.4
rubyonrails rails 3.1.4
rubyonrails rails 3.1.5
rubyonrails rails 3.1.5
rubyonrails rails 3.1.6
rubyonrails rails 3.1.7
rubyonrails rails 3.1.8
rubyonrails rails 3.1.9
rubyonrails rails 3.1.10
rubyonrails rails 3.2.0
rubyonrails rails 3.2.0
rubyonrails rails 3.2.0
rubyonrails rails 3.2.1
rubyonrails rails 3.2.2
rubyonrails rails 3.2.2
rubyonrails rails 3.2.3
rubyonrails rails 3.2.3
rubyonrails rails 3.2.3
rubyonrails rails 3.2.4
rubyonrails rails 3.2.4
rubyonrails rails 3.2.5
rubyonrails rails 3.2.6
rubyonrails rails 3.2.7
rubyonrails rails 3.2.8
rubyonrails rails 3.2.10
rubyonrails rails 3.2.11
rubyonrails rails 3.2.12
rubyonrails rails 3.2.13
rubyonrails rails 3.2.13
rubyonrails rails 3.2.15
rubyonrails rails 3.2.16
rubyonrails rails 3.2.17
rubyonrails rails 3.2.18
rubyonrails rails 4.0.0
rubyonrails rails 4.0.0
rubyonrails rails 4.0.0
rubyonrails rails 4.0.0
rubyonrails rails 4.0.1
rubyonrails rails 4.0.1
rubyonrails rails 4.0.1
rubyonrails rails 4.0.1
rubyonrails rails 4.0.1
rubyonrails rails 4.0.2
rubyonrails rails 4.0.3
rubyonrails rails 4.0.4
rubyonrails rails 4.0.5
rubyonrails rails 4.0.6
rubyonrails rails 4.0.6
rubyonrails rails 4.0.6
rubyonrails rails 4.0.6
rubyonrails rails 4.0.7
rubyonrails rails 4.0.8
rubyonrails rails 4.0.9
rubyonrails rails 4.0.10
rubyonrails rails 4.0.10
rubyonrails rails 4.1.0
rubyonrails rails 4.1.0
rubyonrails rails 4.1.1
rubyonrails rails 4.1.2
rubyonrails rails 4.1.2
rubyonrails rails 4.1.2
rubyonrails rails 4.1.2
rubyonrails rails 4.1.3
rubyonrails rails 4.1.4
rubyonrails rails 4.1.5
rubyonrails rails 4.1.6
rubyonrails rails 4.1.6
rubyonrails rails 4.1.7
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails rails 4.2.0
rubyonrails ruby_on_rails 3.0.4
rubyonrails ruby_on_rails 3.2.19
rubyonrails ruby_on_rails 3.2.20
rubyonrails ruby_on_rails 4.0.11
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "DFBF430B-0832-44B0-AA0E-BA9E467F7668",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
              "matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
              "matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
              "matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
              "matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
              "matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
              "matchCriteriaId": "58304E17-ADFD-4686-9CCF-C1CA31843B94",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
              "matchCriteriaId": "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*",
              "matchCriteriaId": "0C448F62-8231-4221-ADA0-C9B848AE03D1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*",
              "matchCriteriaId": "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*",
              "matchCriteriaId": "60255706-C44A-48CB-B98B-A1F0991CBC74",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*",
              "matchCriteriaId": "0456E2E8-EF06-414E-8A7D-8005F0EB46B7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*",
              "matchCriteriaId": "D9EE4763-2495-4B6A-B72F-344967E51C27",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
              "matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
              "matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
              "matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "09C20971-53B5-43B0-AC45-5AA0FDF1B054",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "496902D6-409A-40D9-849F-C41264BE5B04",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "2482AB3F-8303-4F95-BE04-C5F06EEF2015",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "244C6952-377C-4AF0-8BA2-C34516A3EB5A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "98A79CC5-71EC-4E90-9E99-2DF62ABC0122",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "6562F3C3-D794-4107-95D4-1C0B0486940B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "F365C9E5-27DC-46C3-AFE4-4876EC7B352B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "6F0016A6-0ED6-443D-B969-CB1226D8E28C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "E69470EA-5EBC-4FB9-A722-5B61C70C1140",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "C9AB2152-DED8-4CFD-B915-94A9F56FDD05",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "C630AB60-DBAF-421E-B663-492BAE8A180F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "0F41CCF8-14EB-4327-A675-83BFDBB53196",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "FE65D701-AA6E-48E4-B62B-C22DEE863503",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "17B1E475-C873-4561-9348-027721C08D79",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.15:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "6646610D-279B-4AEC-B445-981E7784EE5B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.16:*:*:*:*:*:*:*",
              "matchCriteriaId": "50F51980-EAD9-4E4D-A2E7-1FACFA80AAB0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.17:*:*:*:*:*:*:*",
              "matchCriteriaId": "CC02A7D1-CB1A-4793-86E3-CF88D0BCDF83",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.18:*:*:*:*:*:*:*",
              "matchCriteriaId": "A499584B-6E2E-42F3-B0CE-DA7BDD732897",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
              "matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*",
              "matchCriteriaId": "254884EE-EBA4-45D0-9704-B5CB22569668",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "5C913A56-959D-44F1-BD89-D246C66D1F09",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "5D5BA926-38EE-47BE-9D16-FDCF360A503B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "18EA25F1-279A-4F1A-883D-C064369F592E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "FD794856-6F30-4ABF-8AE4-720BB75E6F89",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "767C481D-6616-4CA9-9A9B-C994D9121796",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "CA46B621-125E-497F-B2DE-91C989B25936",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B3239443-2E19-4540-BA0C-05A27E44CB6C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "104AC9CF-6611-4469-9852-7FDAF4EC7638",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC9E1864-B1E5-42C3-B4AF-9A002916B66D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "31AC91AA-6A9A-43B4-B3E9-A66A34B6E612",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "A462C151-982E-4A83-A376-025015F40645",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "660C2AD2-CEC8-4391-84AF-27515A88B29E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "578CC013-776B-4868-B448-B7ACAF3AF832",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "C310EA3E-399A-48FD-8DE9-6950E328CF23",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "293B2998-5169-4960-BEC4-21DAC837E32B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "EAB8D57F-9849-428C-B8E9-D0A1020728BB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "B0359DA8-6B41-46C5-AA95-41B1B366DD4A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "0965BDB6-9644-465C-AA32-9278B2D53197",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "7F6B15CF-37C1-4C9B-8457-4A8C9A480188",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "072EB16D-1325-4869-B156-65E786A834C7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "847B3C3D-8656-404D-A954-09C159EDC8E2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "65CA2D50-B33C-4088-BDDF-EB964C9A092C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "CADB5989-5260-4F60-ACF2-BEB6D7F97654",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "9036E3C7-0AD5-489D-BCEE-31DFE13F5ADA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "509597D0-22E1-4BE8-95AD-C54FE4D15FA4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "539C550D-FEDD-415E-95AE-40E1AE2BAF1A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "709A19A5-8FD1-4F9C-A38C-F06242A94D68",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "8104482C-E8F5-40A7-8B27-234FEF725FD0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "2CFF8677-EA00-4F7E-BFF9-272482206DB5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.19:*:*:*:*:*:*:*",
              "matchCriteriaId": "69702127-AB96-4FE0-9AC4-FBE7B8CA77E5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.20:*:*:*:*:*:*:*",
              "matchCriteriaId": "48D71F7B-CF93-41D4-A824-51CB11F08692",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "9E43D2D7-89AE-4805-9732-F1C601D8D8B8",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a \\ (backslash) character, a similar issue to CVE-2014-7818."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad de salto de directorio en actionpack/lib/action_dispatch/middleware/static.rb en el Action Pack de Ruby on Rails 3.x anterior a 3.2.21, 4.0.x anterior a 4.0.12, 4.1.x anterior a 4.1.8, y 4.2.x anterior a 4.2.0.beta4, cuando serve_static_assets est\u00e1 activado, permite a atacantes remotos determinar la existencia de ficheros fuera de la aplicaci\u00f3n root a trav\u00e9s de vectores que implican un car\u00e1cter \\ (barra invertida), un problema similar al CVE-2014-7818."
    }
  ],
  "id": "CVE-2014-7829",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2014-11-18T23:59:03.427",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securityfocus.com/bid/71183"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Exploit"
      ],
      "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/rMTQy4oRCGk/loS_CRS8mNEJ"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://puppet.com/security/cve/cve-2014-7829"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/71183"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit"
      ],
      "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/rMTQy4oRCGk/loS_CRS8mNEJ"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://puppet.com/security/cve/cve-2014-7829"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CVE-2017-17919 (GCVE-0-2017-17919)

Vulnerability from cvelistv5 – Published: 2017-12-29 16:00 – Updated: 2024-08-05 21:06
VLAI?
Summary
SQL injection vulnerability in the 'order' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id desc' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input
Severity ?
8.1 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "ruby_on_rails",
            "vendor": "rubyonrails",
            "versions": [
              {
                "status": "affected",
                "version": "*"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2017-17919",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-23T15:16:52.640372Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-89",
                "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:11:55.128Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T21:06:49.394Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2017-12-27T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "SQL injection vulnerability in the \u0027order\u0027 method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the \u0027id desc\u0027 parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-01-01T17:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/"
        }
      ],
      "tags": [
        "disputed"
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2017-17919",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "** DISPUTED ** SQL injection vulnerability in the \u0027order\u0027 method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the \u0027id desc\u0027 parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/",
              "refsource": "MISC",
              "url": "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2017-17919",
    "datePublished": "2017-12-29T16:00:00",
    "dateReserved": "2017-12-26T00:00:00",
    "dateUpdated": "2024-08-05T21:06:49.394Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2017-17920 (GCVE-0-2017-17920)

Vulnerability from cvelistv5 – Published: 2017-12-29 16:00 – Updated: 2024-08-05 21:06
VLAI?
Summary
SQL injection vulnerability in the 'reorder' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T21:06:49.547Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2017-12-27T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "SQL injection vulnerability in the \u0027reorder\u0027 method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the \u0027name\u0027 parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-01-01T17:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/"
        }
      ],
      "tags": [
        "disputed"
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2017-17920",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "** DISPUTED ** SQL injection vulnerability in the \u0027reorder\u0027 method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the \u0027name\u0027 parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/",
              "refsource": "MISC",
              "url": "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2017-17920",
    "datePublished": "2017-12-29T16:00:00",
    "dateReserved": "2017-12-26T00:00:00",
    "dateUpdated": "2024-08-05T21:06:49.547Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2016-6316 (GCVE-0-2016-6316)

Vulnerability from cvelistv5 – Published: 2016-09-07 19:00 – Updated: 2024-08-06 01:29
VLAI?
Summary
Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used as attribute values in tag handlers.
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T01:29:18.216Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2016:1856",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1856.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://puppet.com/security/cve/cve-2016-6316"
          },
          {
            "name": "92430",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/92430"
          },
          {
            "name": "RHSA-2016:1855",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1855.html"
          },
          {
            "name": "[oss-security] 20160811 [CVE-2016-6316] Possible XSS Vulnerability in Action View",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2016/08/11/3"
          },
          {
            "name": "RHSA-2016:1858",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1858.html"
          },
          {
            "name": "RHSA-2016:1857",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1857.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/"
          },
          {
            "name": "[ruby-security-ann] 20160811 [CVE-2016-6316] Possible XSS Vulnerability in Action View",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21topic/ruby-security-ann/8B2iV2tPRSE"
          },
          {
            "name": "DSA-3651",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2016/dsa-3651"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-08-11T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as \"HTML safe\" and used as attribute values in tag handlers."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-12-08T10:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2016:1856",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-1856.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://puppet.com/security/cve/cve-2016-6316"
        },
        {
          "name": "92430",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/92430"
        },
        {
          "name": "RHSA-2016:1855",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-1855.html"
        },
        {
          "name": "[oss-security] 20160811 [CVE-2016-6316] Possible XSS Vulnerability in Action View",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2016/08/11/3"
        },
        {
          "name": "RHSA-2016:1858",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-1858.html"
        },
        {
          "name": "RHSA-2016:1857",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-1857.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/"
        },
        {
          "name": "[ruby-security-ann] 20160811 [CVE-2016-6316] Possible XSS Vulnerability in Action View",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://groups.google.com/forum/#%21topic/ruby-security-ann/8B2iV2tPRSE"
        },
        {
          "name": "DSA-3651",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2016/dsa-3651"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2016-6316",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as \"HTML safe\" and used as attribute values in tag handlers."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2016:1856",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-1856.html"
            },
            {
              "name": "https://puppet.com/security/cve/cve-2016-6316",
              "refsource": "CONFIRM",
              "url": "https://puppet.com/security/cve/cve-2016-6316"
            },
            {
              "name": "92430",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/92430"
            },
            {
              "name": "RHSA-2016:1855",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-1855.html"
            },
            {
              "name": "[oss-security] 20160811 [CVE-2016-6316] Possible XSS Vulnerability in Action View",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2016/08/11/3"
            },
            {
              "name": "RHSA-2016:1858",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-1858.html"
            },
            {
              "name": "RHSA-2016:1857",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-1857.html"
            },
            {
              "name": "http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/",
              "refsource": "CONFIRM",
              "url": "http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/"
            },
            {
              "name": "[ruby-security-ann] 20160811 [CVE-2016-6316] Possible XSS Vulnerability in Action View",
              "refsource": "MLIST",
              "url": "https://groups.google.com/forum/#!topic/ruby-security-ann/8B2iV2tPRSE"
            },
            {
              "name": "DSA-3651",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2016/dsa-3651"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2016-6316",
    "datePublished": "2016-09-07T19:00:00",
    "dateReserved": "2016-07-26T00:00:00",
    "dateUpdated": "2024-08-06T01:29:18.216Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2016-2097 (GCVE-0-2016-2097)

Vulnerability from cvelistv5 – Published: 2016-04-07 23:00 – Updated: 2024-08-05 23:17
VLAI?
Summary
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752.
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T23:17:50.576Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "SUSE-SU-2016:0967",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"
          },
          {
            "name": "DSA-3509",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2016/dsa-3509"
          },
          {
            "name": "[ruby-security-ann] 20160229 [CVE-2016-0752] Possible Information Leak Vulnerability in Action View",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ"
          },
          {
            "name": "1035122",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1035122"
          },
          {
            "name": "SUSE-SU-2016:0854",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"
          },
          {
            "name": "83726",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/83726"
          },
          {
            "name": "openSUSE-SU-2016:0835",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-02-29T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application\u0027s unrestricted use of the render method and providing a .. (dot dot) in a pathname.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-11-30T18:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "SUSE-SU-2016:0967",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"
        },
        {
          "name": "DSA-3509",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2016/dsa-3509"
        },
        {
          "name": "[ruby-security-ann] 20160229 [CVE-2016-0752] Possible Information Leak Vulnerability in Action View",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ"
        },
        {
          "name": "1035122",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1035122"
        },
        {
          "name": "SUSE-SU-2016:0854",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"
        },
        {
          "name": "83726",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/83726"
        },
        {
          "name": "openSUSE-SU-2016:0835",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2016-2097",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application\u0027s unrestricted use of the render method and providing a .. (dot dot) in a pathname.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "SUSE-SU-2016:0967",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"
            },
            {
              "name": "DSA-3509",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2016/dsa-3509"
            },
            {
              "name": "[ruby-security-ann] 20160229 [CVE-2016-0752] Possible Information Leak Vulnerability in Action View",
              "refsource": "MLIST",
              "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ"
            },
            {
              "name": "1035122",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1035122"
            },
            {
              "name": "SUSE-SU-2016:0854",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"
            },
            {
              "name": "83726",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/83726"
            },
            {
              "name": "openSUSE-SU-2016:0835",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"
            },
            {
              "name": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/",
              "refsource": "CONFIRM",
              "url": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2016-2097",
    "datePublished": "2016-04-07T23:00:00",
    "dateReserved": "2016-01-29T00:00:00",
    "dateUpdated": "2024-08-05T23:17:50.576Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2016-2098 (GCVE-0-2016-2098)

Vulnerability from cvelistv5 – Published: 2016-04-07 23:00 – Updated: 2024-08-05 23:17
VLAI?
Summary
Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T23:17:50.698Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "SUSE-SU-2016:0867",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html"
          },
          {
            "name": "SUSE-SU-2016:0967",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"
          },
          {
            "name": "DSA-3509",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2016/dsa-3509"
          },
          {
            "name": "83725",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/83725"
          },
          {
            "name": "1035122",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1035122"
          },
          {
            "name": "40086",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/40086/"
          },
          {
            "name": "SUSE-SU-2016:0854",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"
          },
          {
            "name": "openSUSE-SU-2016:0790",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html"
          },
          {
            "name": "SUSE-SU-2016:1146",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
          },
          {
            "name": "openSUSE-SU-2016:0835",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"
          },
          {
            "name": "[ruby-security-ann] 20160229 [CVE-2016-2098] Possible remote code execution vulnerability in Action Pack",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-02-29T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application\u0027s unrestricted use of the render method."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-02T09:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "SUSE-SU-2016:0867",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html"
        },
        {
          "name": "SUSE-SU-2016:0967",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"
        },
        {
          "name": "DSA-3509",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2016/dsa-3509"
        },
        {
          "name": "83725",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/83725"
        },
        {
          "name": "1035122",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1035122"
        },
        {
          "name": "40086",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/40086/"
        },
        {
          "name": "SUSE-SU-2016:0854",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"
        },
        {
          "name": "openSUSE-SU-2016:0790",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html"
        },
        {
          "name": "SUSE-SU-2016:1146",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
        },
        {
          "name": "openSUSE-SU-2016:0835",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"
        },
        {
          "name": "[ruby-security-ann] 20160229 [CVE-2016-2098] Possible remote code execution vulnerability in Action Pack",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2016-2098",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application\u0027s unrestricted use of the render method."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "SUSE-SU-2016:0867",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html"
            },
            {
              "name": "SUSE-SU-2016:0967",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"
            },
            {
              "name": "DSA-3509",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2016/dsa-3509"
            },
            {
              "name": "83725",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/83725"
            },
            {
              "name": "1035122",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1035122"
            },
            {
              "name": "40086",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/40086/"
            },
            {
              "name": "SUSE-SU-2016:0854",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"
            },
            {
              "name": "openSUSE-SU-2016:0790",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html"
            },
            {
              "name": "SUSE-SU-2016:1146",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
            },
            {
              "name": "openSUSE-SU-2016:0835",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"
            },
            {
              "name": "[ruby-security-ann] 20160229 [CVE-2016-2098] Possible remote code execution vulnerability in Action Pack",
              "refsource": "MLIST",
              "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ"
            },
            {
              "name": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/",
              "refsource": "CONFIRM",
              "url": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2016-2098",
    "datePublished": "2016-04-07T23:00:00",
    "dateReserved": "2016-01-29T00:00:00",
    "dateUpdated": "2024-08-05T23:17:50.698Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2015-7577 (GCVE-0-2015-7577)

Vulnerability from cvelistv5 – Published: 2016-02-16 02:00 – Updated: 2024-08-06 07:51
VLAI?
Summary
activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature.
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
http://lists.opensuse.org/opensuse-updates/2016-0… vendor-advisoryx_refsource_SUSE
http://lists.opensuse.org/opensuse-updates/2016-0… vendor-advisoryx_refsource_SUSE
http://lists.fedoraproject.org/pipermail/package-… vendor-advisoryx_refsource_FEDORA
http://lists.fedoraproject.org/pipermail/package-… vendor-advisoryx_refsource_FEDORA
http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
https://groups.google.com/forum/message/raw?msg=r… mailing-listx_refsource_MLIST
http://www.securitytracker.com/id/1034816 vdb-entryx_refsource_SECTRACK
http://www.securityfocus.com/bid/81806 vdb-entryx_refsource_BID
http://www.debian.org/security/2016/dsa-3464 vendor-advisoryx_refsource_DEBIAN
http://rhn.redhat.com/errata/RHSA-2016-0296.html vendor-advisoryx_refsource_REDHAT
http://www.openwall.com/lists/oss-security/2016/0… mailing-listx_refsource_MLIST
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T07:51:28.528Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "openSUSE-SU-2016:0372",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
          },
          {
            "name": "openSUSE-SU-2016:0363",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
          },
          {
            "name": "FEDORA-2016-73fe05d878",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html"
          },
          {
            "name": "FEDORA-2016-cc465a34df",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html"
          },
          {
            "name": "SUSE-SU-2016:1146",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
          },
          {
            "name": "[ruby-security-ann] 20160125 [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record.",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/cawsWcQ6c8g/LATIsglZEgAJ"
          },
          {
            "name": "1034816",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1034816"
          },
          {
            "name": "81806",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/81806"
          },
          {
            "name": "DSA-3464",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2016/dsa-3464"
          },
          {
            "name": "RHSA-2016:0296",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
          },
          {
            "name": "[oss-security] 20160125 [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record.",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2016/01/25/10"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-01-25T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-09T09:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "openSUSE-SU-2016:0372",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
        },
        {
          "name": "openSUSE-SU-2016:0363",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
        },
        {
          "name": "FEDORA-2016-73fe05d878",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html"
        },
        {
          "name": "FEDORA-2016-cc465a34df",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html"
        },
        {
          "name": "SUSE-SU-2016:1146",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
        },
        {
          "name": "[ruby-security-ann] 20160125 [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record.",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/cawsWcQ6c8g/LATIsglZEgAJ"
        },
        {
          "name": "1034816",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1034816"
        },
        {
          "name": "81806",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/81806"
        },
        {
          "name": "DSA-3464",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2016/dsa-3464"
        },
        {
          "name": "RHSA-2016:0296",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
        },
        {
          "name": "[oss-security] 20160125 [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record.",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2016/01/25/10"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-7577",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "openSUSE-SU-2016:0372",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
            },
            {
              "name": "openSUSE-SU-2016:0363",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
            },
            {
              "name": "FEDORA-2016-73fe05d878",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html"
            },
            {
              "name": "FEDORA-2016-cc465a34df",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html"
            },
            {
              "name": "SUSE-SU-2016:1146",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
            },
            {
              "name": "[ruby-security-ann] 20160125 [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record.",
              "refsource": "MLIST",
              "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/cawsWcQ6c8g/LATIsglZEgAJ"
            },
            {
              "name": "1034816",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1034816"
            },
            {
              "name": "81806",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/81806"
            },
            {
              "name": "DSA-3464",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2016/dsa-3464"
            },
            {
              "name": "RHSA-2016:0296",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
            },
            {
              "name": "[oss-security] 20160125 [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record.",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2016/01/25/10"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2015-7577",
    "datePublished": "2016-02-16T02:00:00",
    "dateReserved": "2015-09-29T00:00:00",
    "dateUpdated": "2024-08-06T07:51:28.528Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2016-0752 (GCVE-0-2016-0752)

Vulnerability from cvelistv5 – Published: 2016-02-16 02:00 – Updated: 2025-10-21 23:55
VLAI?
Summary
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname.
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE
  • n/a
Assigner
References
https://www.exploit-db.com/exploits/40561/ exploitx_refsource_EXPLOIT-DB
http://lists.opensuse.org/opensuse-updates/2016-0… vendor-advisoryx_refsource_SUSE
http://lists.opensuse.org/opensuse-updates/2016-0… vendor-advisoryx_refsource_SUSE
http://www.openwall.com/lists/oss-security/2016/0… mailing-listx_refsource_MLIST
http://lists.fedoraproject.org/pipermail/package-… vendor-advisoryx_refsource_FEDORA
http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
http://www.securityfocus.com/bid/81801 vdb-entryx_refsource_BID
http://www.securitytracker.com/id/1034816 vdb-entryx_refsource_SECTRACK
http://lists.fedoraproject.org/pipermail/package-… vendor-advisoryx_refsource_FEDORA
https://groups.google.com/forum/message/raw?msg=r… mailing-listx_refsource_MLIST
http://www.debian.org/security/2016/dsa-3464 vendor-advisoryx_refsource_DEBIAN
http://rhn.redhat.com/errata/RHSA-2016-0296.html vendor-advisoryx_refsource_REDHAT
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T22:30:03.939Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "40561",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/40561/"
          },
          {
            "name": "openSUSE-SU-2016:0372",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
          },
          {
            "name": "openSUSE-SU-2016:0363",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
          },
          {
            "name": "[oss-security] 20160125 [CVE-2016-0752] Possible Information Leak Vulnerability in Action View",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2016/01/25/13"
          },
          {
            "name": "FEDORA-2016-97002ad37b",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178069.html"
          },
          {
            "name": "SUSE-SU-2016:1146",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
          },
          {
            "name": "81801",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/81801"
          },
          {
            "name": "1034816",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1034816"
          },
          {
            "name": "FEDORA-2016-fa0dec2360",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178044.html"
          },
          {
            "name": "[ruby-security-ann] 20160125 [CVE-2016-0752] Possible Information Leak Vulnerability in Action View",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ"
          },
          {
            "name": "DSA-3464",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2016/dsa-3464"
          },
          {
            "name": "RHSA-2016:0296",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2016-0752",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-07T13:26:36.145115Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2022-03-25",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-0752"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-22",
                "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:55:55.440Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-0752"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2022-03-25T00:00:00+00:00",
            "value": "CVE-2016-0752 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-01-25T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application\u0027s unrestricted use of the render method and providing a .. (dot dot) in a pathname."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-09T09:57:01.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "40561",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/40561/"
        },
        {
          "name": "openSUSE-SU-2016:0372",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
        },
        {
          "name": "openSUSE-SU-2016:0363",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
        },
        {
          "name": "[oss-security] 20160125 [CVE-2016-0752] Possible Information Leak Vulnerability in Action View",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2016/01/25/13"
        },
        {
          "name": "FEDORA-2016-97002ad37b",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178069.html"
        },
        {
          "name": "SUSE-SU-2016:1146",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
        },
        {
          "name": "81801",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/81801"
        },
        {
          "name": "1034816",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1034816"
        },
        {
          "name": "FEDORA-2016-fa0dec2360",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178044.html"
        },
        {
          "name": "[ruby-security-ann] 20160125 [CVE-2016-0752] Possible Information Leak Vulnerability in Action View",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ"
        },
        {
          "name": "DSA-3464",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2016/dsa-3464"
        },
        {
          "name": "RHSA-2016:0296",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2016-0752",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application\u0027s unrestricted use of the render method and providing a .. (dot dot) in a pathname."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "40561",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/40561/"
            },
            {
              "name": "openSUSE-SU-2016:0372",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
            },
            {
              "name": "openSUSE-SU-2016:0363",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
            },
            {
              "name": "[oss-security] 20160125 [CVE-2016-0752] Possible Information Leak Vulnerability in Action View",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2016/01/25/13"
            },
            {
              "name": "FEDORA-2016-97002ad37b",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178069.html"
            },
            {
              "name": "SUSE-SU-2016:1146",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
            },
            {
              "name": "81801",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/81801"
            },
            {
              "name": "1034816",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1034816"
            },
            {
              "name": "FEDORA-2016-fa0dec2360",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178044.html"
            },
            {
              "name": "[ruby-security-ann] 20160125 [CVE-2016-0752] Possible Information Leak Vulnerability in Action View",
              "refsource": "MLIST",
              "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ"
            },
            {
              "name": "DSA-3464",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2016/dsa-3464"
            },
            {
              "name": "RHSA-2016:0296",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2016-0752",
    "datePublished": "2016-02-16T02:00:00.000Z",
    "dateReserved": "2015-12-16T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:55:55.440Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2016-0751 (GCVE-0-2016-0751)

Vulnerability from cvelistv5 – Published: 2016-02-16 02:00 – Updated: 2024-08-05 22:30
VLAI?
Summary
actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header.
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
http://lists.opensuse.org/opensuse-updates/2016-0… vendor-advisoryx_refsource_SUSE
http://lists.opensuse.org/opensuse-updates/2016-0… vendor-advisoryx_refsource_SUSE
http://lists.fedoraproject.org/pipermail/package-… vendor-advisoryx_refsource_FEDORA
https://groups.google.com/forum/message/raw?msg=r… mailing-listx_refsource_MLIST
http://lists.fedoraproject.org/pipermail/package-… vendor-advisoryx_refsource_FEDORA
http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
http://www.securityfocus.com/bid/81800 vdb-entryx_refsource_BID
http://www.securitytracker.com/id/1034816 vdb-entryx_refsource_SECTRACK
http://www.openwall.com/lists/oss-security/2016/01/25/9 mailing-listx_refsource_MLIST
http://www.debian.org/security/2016/dsa-3464 vendor-advisoryx_refsource_DEBIAN
http://rhn.redhat.com/errata/RHSA-2016-0296.html vendor-advisoryx_refsource_REDHAT
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T22:30:03.975Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "openSUSE-SU-2016:0372",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
          },
          {
            "name": "openSUSE-SU-2016:0363",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
          },
          {
            "name": "FEDORA-2016-94e71ee673",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
          },
          {
            "name": "[ruby-security-ann] 20160125 [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9oLY_FCzvoc/5CDXbvpYEgAJ"
          },
          {
            "name": "FEDORA-2016-f486068393",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"
          },
          {
            "name": "SUSE-SU-2016:1146",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
          },
          {
            "name": "81800",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/81800"
          },
          {
            "name": "1034816",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1034816"
          },
          {
            "name": "[oss-security] 20160125 [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2016/01/25/9"
          },
          {
            "name": "DSA-3464",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2016/dsa-3464"
          },
          {
            "name": "RHSA-2016:0296",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-01-25T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-09T09:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "openSUSE-SU-2016:0372",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
        },
        {
          "name": "openSUSE-SU-2016:0363",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
        },
        {
          "name": "FEDORA-2016-94e71ee673",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
        },
        {
          "name": "[ruby-security-ann] 20160125 [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9oLY_FCzvoc/5CDXbvpYEgAJ"
        },
        {
          "name": "FEDORA-2016-f486068393",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"
        },
        {
          "name": "SUSE-SU-2016:1146",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
        },
        {
          "name": "81800",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/81800"
        },
        {
          "name": "1034816",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1034816"
        },
        {
          "name": "[oss-security] 20160125 [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2016/01/25/9"
        },
        {
          "name": "DSA-3464",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2016/dsa-3464"
        },
        {
          "name": "RHSA-2016:0296",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2016-0751",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "openSUSE-SU-2016:0372",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
            },
            {
              "name": "openSUSE-SU-2016:0363",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
            },
            {
              "name": "FEDORA-2016-94e71ee673",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
            },
            {
              "name": "[ruby-security-ann] 20160125 [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack",
              "refsource": "MLIST",
              "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9oLY_FCzvoc/5CDXbvpYEgAJ"
            },
            {
              "name": "FEDORA-2016-f486068393",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"
            },
            {
              "name": "SUSE-SU-2016:1146",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
            },
            {
              "name": "81800",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/81800"
            },
            {
              "name": "1034816",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1034816"
            },
            {
              "name": "[oss-security] 20160125 [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2016/01/25/9"
            },
            {
              "name": "DSA-3464",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2016/dsa-3464"
            },
            {
              "name": "RHSA-2016:0296",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2016-0751",
    "datePublished": "2016-02-16T02:00:00",
    "dateReserved": "2015-12-16T00:00:00",
    "dateUpdated": "2024-08-05T22:30:03.975Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2015-7576 (GCVE-0-2015-7576)

Vulnerability from cvelistv5 – Published: 2016-02-16 02:00 – Updated: 2024-08-06 07:51
VLAI?
Summary
The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
http://www.openwall.com/lists/oss-security/2016/01/25/8 mailing-listx_refsource_MLIST
http://lists.fedoraproject.org/pipermail/package-… vendor-advisoryx_refsource_FEDORA
http://lists.opensuse.org/opensuse-updates/2016-0… vendor-advisoryx_refsource_SUSE
http://lists.opensuse.org/opensuse-updates/2016-0… vendor-advisoryx_refsource_SUSE
http://lists.fedoraproject.org/pipermail/package-… vendor-advisoryx_refsource_FEDORA
http://www.securityfocus.com/bid/81803 vdb-entryx_refsource_BID
http://lists.fedoraproject.org/pipermail/package-… vendor-advisoryx_refsource_FEDORA
http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
http://www.securitytracker.com/id/1034816 vdb-entryx_refsource_SECTRACK
http://www.debian.org/security/2016/dsa-3464 vendor-advisoryx_refsource_DEBIAN
http://rhn.redhat.com/errata/RHSA-2016-0296.html vendor-advisoryx_refsource_REDHAT
http://lists.fedoraproject.org/pipermail/package-… vendor-advisoryx_refsource_FEDORA
https://groups.google.com/forum/message/raw?msg=r… mailing-listx_refsource_MLIST
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T07:51:28.554Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[oss-security] 20160125 [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2016/01/25/8"
          },
          {
            "name": "FEDORA-2016-3ede04cd79",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html"
          },
          {
            "name": "openSUSE-SU-2016:0372",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
          },
          {
            "name": "openSUSE-SU-2016:0363",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
          },
          {
            "name": "FEDORA-2016-94e71ee673",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
          },
          {
            "name": "81803",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/81803"
          },
          {
            "name": "FEDORA-2016-f486068393",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"
          },
          {
            "name": "SUSE-SU-2016:1146",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
          },
          {
            "name": "1034816",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1034816"
          },
          {
            "name": "DSA-3464",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2016/dsa-3464"
          },
          {
            "name": "RHSA-2016:0296",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
          },
          {
            "name": "FEDORA-2016-cb30088b06",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"
          },
          {
            "name": "[ruby-security-ann] 20160125 [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-01-25T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-09T09:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "[oss-security] 20160125 [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2016/01/25/8"
        },
        {
          "name": "FEDORA-2016-3ede04cd79",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html"
        },
        {
          "name": "openSUSE-SU-2016:0372",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
        },
        {
          "name": "openSUSE-SU-2016:0363",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
        },
        {
          "name": "FEDORA-2016-94e71ee673",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
        },
        {
          "name": "81803",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/81803"
        },
        {
          "name": "FEDORA-2016-f486068393",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"
        },
        {
          "name": "SUSE-SU-2016:1146",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
        },
        {
          "name": "1034816",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1034816"
        },
        {
          "name": "DSA-3464",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2016/dsa-3464"
        },
        {
          "name": "RHSA-2016:0296",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
        },
        {
          "name": "FEDORA-2016-cb30088b06",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"
        },
        {
          "name": "[ruby-security-ann] 20160125 [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-7576",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[oss-security] 20160125 [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2016/01/25/8"
            },
            {
              "name": "FEDORA-2016-3ede04cd79",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html"
            },
            {
              "name": "openSUSE-SU-2016:0372",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
            },
            {
              "name": "openSUSE-SU-2016:0363",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
            },
            {
              "name": "FEDORA-2016-94e71ee673",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
            },
            {
              "name": "81803",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/81803"
            },
            {
              "name": "FEDORA-2016-f486068393",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"
            },
            {
              "name": "SUSE-SU-2016:1146",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
            },
            {
              "name": "1034816",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1034816"
            },
            {
              "name": "DSA-3464",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2016/dsa-3464"
            },
            {
              "name": "RHSA-2016:0296",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
            },
            {
              "name": "FEDORA-2016-cb30088b06",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"
            },
            {
              "name": "[ruby-security-ann] 20160125 [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.",
              "refsource": "MLIST",
              "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2015-7576",
    "datePublished": "2016-02-16T02:00:00",
    "dateReserved": "2015-09-29T00:00:00",
    "dateUpdated": "2024-08-06T07:51:28.554Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2015-3226 (GCVE-0-2015-3226)

Vulnerability from cvelistv5 – Published: 2015-07-26 22:00 – Updated: 2024-08-06 05:39
VLAI?
Summary
Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding.
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
http://www.securitytracker.com/id/1033755 vdb-entryx_refsource_SECTRACK
https://groups.google.com/forum/message/raw?msg=r… mailing-listx_refsource_MLIST
http://www.securityfocus.com/bid/75231 vdb-entryx_refsource_BID
http://openwall.com/lists/oss-security/2015/06/16/17 mailing-listx_refsource_MLIST
http://www.debian.org/security/2016/dsa-3464 vendor-advisoryx_refsource_DEBIAN
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T05:39:32.141Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "1033755",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1033755"
          },
          {
            "name": "[rubyonrails-security] 20150616 [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ"
          },
          {
            "name": "75231",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/75231"
          },
          {
            "name": "[oss-security] 20150616 [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://openwall.com/lists/oss-security/2015/06/16/17"
          },
          {
            "name": "DSA-3464",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2016/dsa-3464"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-06-16T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-15T09:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "1033755",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1033755"
        },
        {
          "name": "[rubyonrails-security] 20150616 [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ"
        },
        {
          "name": "75231",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/75231"
        },
        {
          "name": "[oss-security] 20150616 [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://openwall.com/lists/oss-security/2015/06/16/17"
        },
        {
          "name": "DSA-3464",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2016/dsa-3464"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-3226",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "1033755",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1033755"
            },
            {
              "name": "[rubyonrails-security] 20150616 [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode",
              "refsource": "MLIST",
              "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ"
            },
            {
              "name": "75231",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/75231"
            },
            {
              "name": "[oss-security] 20150616 [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode",
              "refsource": "MLIST",
              "url": "http://openwall.com/lists/oss-security/2015/06/16/17"
            },
            {
              "name": "DSA-3464",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2016/dsa-3464"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2015-3226",
    "datePublished": "2015-07-26T22:00:00",
    "dateReserved": "2015-04-10T00:00:00",
    "dateUpdated": "2024-08-06T05:39:32.141Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2017-17919 (GCVE-0-2017-17919)

Vulnerability from nvd – Published: 2017-12-29 16:00 – Updated: 2024-08-05 21:06
VLAI?
Summary
SQL injection vulnerability in the 'order' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id desc' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input
Severity ?
8.1 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "ruby_on_rails",
            "vendor": "rubyonrails",
            "versions": [
              {
                "status": "affected",
                "version": "*"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2017-17919",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-23T15:16:52.640372Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-89",
                "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:11:55.128Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T21:06:49.394Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2017-12-27T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "SQL injection vulnerability in the \u0027order\u0027 method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the \u0027id desc\u0027 parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-01-01T17:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/"
        }
      ],
      "tags": [
        "disputed"
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2017-17919",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "** DISPUTED ** SQL injection vulnerability in the \u0027order\u0027 method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the \u0027id desc\u0027 parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/",
              "refsource": "MISC",
              "url": "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2017-17919",
    "datePublished": "2017-12-29T16:00:00",
    "dateReserved": "2017-12-26T00:00:00",
    "dateUpdated": "2024-08-05T21:06:49.394Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2017-17920 (GCVE-0-2017-17920)

Vulnerability from nvd – Published: 2017-12-29 16:00 – Updated: 2024-08-05 21:06
VLAI?
Summary
SQL injection vulnerability in the 'reorder' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T21:06:49.547Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2017-12-27T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "SQL injection vulnerability in the \u0027reorder\u0027 method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the \u0027name\u0027 parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-01-01T17:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/"
        }
      ],
      "tags": [
        "disputed"
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2017-17920",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "** DISPUTED ** SQL injection vulnerability in the \u0027reorder\u0027 method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the \u0027name\u0027 parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/",
              "refsource": "MISC",
              "url": "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2017-17920",
    "datePublished": "2017-12-29T16:00:00",
    "dateReserved": "2017-12-26T00:00:00",
    "dateUpdated": "2024-08-05T21:06:49.547Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2016-6316 (GCVE-0-2016-6316)

Vulnerability from nvd – Published: 2016-09-07 19:00 – Updated: 2024-08-06 01:29
VLAI?
Summary
Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used as attribute values in tag handlers.
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T01:29:18.216Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2016:1856",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1856.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://puppet.com/security/cve/cve-2016-6316"
          },
          {
            "name": "92430",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/92430"
          },
          {
            "name": "RHSA-2016:1855",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1855.html"
          },
          {
            "name": "[oss-security] 20160811 [CVE-2016-6316] Possible XSS Vulnerability in Action View",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2016/08/11/3"
          },
          {
            "name": "RHSA-2016:1858",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1858.html"
          },
          {
            "name": "RHSA-2016:1857",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1857.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/"
          },
          {
            "name": "[ruby-security-ann] 20160811 [CVE-2016-6316] Possible XSS Vulnerability in Action View",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21topic/ruby-security-ann/8B2iV2tPRSE"
          },
          {
            "name": "DSA-3651",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2016/dsa-3651"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-08-11T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as \"HTML safe\" and used as attribute values in tag handlers."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-12-08T10:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2016:1856",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-1856.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://puppet.com/security/cve/cve-2016-6316"
        },
        {
          "name": "92430",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/92430"
        },
        {
          "name": "RHSA-2016:1855",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-1855.html"
        },
        {
          "name": "[oss-security] 20160811 [CVE-2016-6316] Possible XSS Vulnerability in Action View",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2016/08/11/3"
        },
        {
          "name": "RHSA-2016:1858",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-1858.html"
        },
        {
          "name": "RHSA-2016:1857",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-1857.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/"
        },
        {
          "name": "[ruby-security-ann] 20160811 [CVE-2016-6316] Possible XSS Vulnerability in Action View",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://groups.google.com/forum/#%21topic/ruby-security-ann/8B2iV2tPRSE"
        },
        {
          "name": "DSA-3651",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2016/dsa-3651"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2016-6316",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as \"HTML safe\" and used as attribute values in tag handlers."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2016:1856",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-1856.html"
            },
            {
              "name": "https://puppet.com/security/cve/cve-2016-6316",
              "refsource": "CONFIRM",
              "url": "https://puppet.com/security/cve/cve-2016-6316"
            },
            {
              "name": "92430",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/92430"
            },
            {
              "name": "RHSA-2016:1855",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-1855.html"
            },
            {
              "name": "[oss-security] 20160811 [CVE-2016-6316] Possible XSS Vulnerability in Action View",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2016/08/11/3"
            },
            {
              "name": "RHSA-2016:1858",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-1858.html"
            },
            {
              "name": "RHSA-2016:1857",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-1857.html"
            },
            {
              "name": "http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/",
              "refsource": "CONFIRM",
              "url": "http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/"
            },
            {
              "name": "[ruby-security-ann] 20160811 [CVE-2016-6316] Possible XSS Vulnerability in Action View",
              "refsource": "MLIST",
              "url": "https://groups.google.com/forum/#!topic/ruby-security-ann/8B2iV2tPRSE"
            },
            {
              "name": "DSA-3651",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2016/dsa-3651"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2016-6316",
    "datePublished": "2016-09-07T19:00:00",
    "dateReserved": "2016-07-26T00:00:00",
    "dateUpdated": "2024-08-06T01:29:18.216Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2016-2097 (GCVE-0-2016-2097)

Vulnerability from nvd – Published: 2016-04-07 23:00 – Updated: 2024-08-05 23:17
VLAI?
Summary
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752.
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T23:17:50.576Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "SUSE-SU-2016:0967",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"
          },
          {
            "name": "DSA-3509",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2016/dsa-3509"
          },
          {
            "name": "[ruby-security-ann] 20160229 [CVE-2016-0752] Possible Information Leak Vulnerability in Action View",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ"
          },
          {
            "name": "1035122",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1035122"
          },
          {
            "name": "SUSE-SU-2016:0854",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"
          },
          {
            "name": "83726",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/83726"
          },
          {
            "name": "openSUSE-SU-2016:0835",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-02-29T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application\u0027s unrestricted use of the render method and providing a .. (dot dot) in a pathname.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-11-30T18:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "SUSE-SU-2016:0967",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"
        },
        {
          "name": "DSA-3509",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2016/dsa-3509"
        },
        {
          "name": "[ruby-security-ann] 20160229 [CVE-2016-0752] Possible Information Leak Vulnerability in Action View",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ"
        },
        {
          "name": "1035122",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1035122"
        },
        {
          "name": "SUSE-SU-2016:0854",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"
        },
        {
          "name": "83726",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/83726"
        },
        {
          "name": "openSUSE-SU-2016:0835",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2016-2097",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application\u0027s unrestricted use of the render method and providing a .. (dot dot) in a pathname.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "SUSE-SU-2016:0967",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"
            },
            {
              "name": "DSA-3509",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2016/dsa-3509"
            },
            {
              "name": "[ruby-security-ann] 20160229 [CVE-2016-0752] Possible Information Leak Vulnerability in Action View",
              "refsource": "MLIST",
              "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ"
            },
            {
              "name": "1035122",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1035122"
            },
            {
              "name": "SUSE-SU-2016:0854",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"
            },
            {
              "name": "83726",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/83726"
            },
            {
              "name": "openSUSE-SU-2016:0835",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"
            },
            {
              "name": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/",
              "refsource": "CONFIRM",
              "url": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2016-2097",
    "datePublished": "2016-04-07T23:00:00",
    "dateReserved": "2016-01-29T00:00:00",
    "dateUpdated": "2024-08-05T23:17:50.576Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2016-2098 (GCVE-0-2016-2098)

Vulnerability from nvd – Published: 2016-04-07 23:00 – Updated: 2024-08-05 23:17
VLAI?
Summary
Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T23:17:50.698Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "SUSE-SU-2016:0867",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html"
          },
          {
            "name": "SUSE-SU-2016:0967",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"
          },
          {
            "name": "DSA-3509",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2016/dsa-3509"
          },
          {
            "name": "83725",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/83725"
          },
          {
            "name": "1035122",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1035122"
          },
          {
            "name": "40086",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/40086/"
          },
          {
            "name": "SUSE-SU-2016:0854",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"
          },
          {
            "name": "openSUSE-SU-2016:0790",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html"
          },
          {
            "name": "SUSE-SU-2016:1146",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
          },
          {
            "name": "openSUSE-SU-2016:0835",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"
          },
          {
            "name": "[ruby-security-ann] 20160229 [CVE-2016-2098] Possible remote code execution vulnerability in Action Pack",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-02-29T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application\u0027s unrestricted use of the render method."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-02T09:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "SUSE-SU-2016:0867",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html"
        },
        {
          "name": "SUSE-SU-2016:0967",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"
        },
        {
          "name": "DSA-3509",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2016/dsa-3509"
        },
        {
          "name": "83725",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/83725"
        },
        {
          "name": "1035122",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1035122"
        },
        {
          "name": "40086",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/40086/"
        },
        {
          "name": "SUSE-SU-2016:0854",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"
        },
        {
          "name": "openSUSE-SU-2016:0790",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html"
        },
        {
          "name": "SUSE-SU-2016:1146",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
        },
        {
          "name": "openSUSE-SU-2016:0835",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"
        },
        {
          "name": "[ruby-security-ann] 20160229 [CVE-2016-2098] Possible remote code execution vulnerability in Action Pack",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2016-2098",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application\u0027s unrestricted use of the render method."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "SUSE-SU-2016:0867",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html"
            },
            {
              "name": "SUSE-SU-2016:0967",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"
            },
            {
              "name": "DSA-3509",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2016/dsa-3509"
            },
            {
              "name": "83725",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/83725"
            },
            {
              "name": "1035122",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1035122"
            },
            {
              "name": "40086",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/40086/"
            },
            {
              "name": "SUSE-SU-2016:0854",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"
            },
            {
              "name": "openSUSE-SU-2016:0790",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html"
            },
            {
              "name": "SUSE-SU-2016:1146",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
            },
            {
              "name": "openSUSE-SU-2016:0835",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"
            },
            {
              "name": "[ruby-security-ann] 20160229 [CVE-2016-2098] Possible remote code execution vulnerability in Action Pack",
              "refsource": "MLIST",
              "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ"
            },
            {
              "name": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/",
              "refsource": "CONFIRM",
              "url": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2016-2098",
    "datePublished": "2016-04-07T23:00:00",
    "dateReserved": "2016-01-29T00:00:00",
    "dateUpdated": "2024-08-05T23:17:50.698Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2015-7577 (GCVE-0-2015-7577)

Vulnerability from nvd – Published: 2016-02-16 02:00 – Updated: 2024-08-06 07:51
VLAI?
Summary
activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature.
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
http://lists.opensuse.org/opensuse-updates/2016-0… vendor-advisoryx_refsource_SUSE
http://lists.opensuse.org/opensuse-updates/2016-0… vendor-advisoryx_refsource_SUSE
http://lists.fedoraproject.org/pipermail/package-… vendor-advisoryx_refsource_FEDORA
http://lists.fedoraproject.org/pipermail/package-… vendor-advisoryx_refsource_FEDORA
http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
https://groups.google.com/forum/message/raw?msg=r… mailing-listx_refsource_MLIST
http://www.securitytracker.com/id/1034816 vdb-entryx_refsource_SECTRACK
http://www.securityfocus.com/bid/81806 vdb-entryx_refsource_BID
http://www.debian.org/security/2016/dsa-3464 vendor-advisoryx_refsource_DEBIAN
http://rhn.redhat.com/errata/RHSA-2016-0296.html vendor-advisoryx_refsource_REDHAT
http://www.openwall.com/lists/oss-security/2016/0… mailing-listx_refsource_MLIST
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T07:51:28.528Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "openSUSE-SU-2016:0372",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
          },
          {
            "name": "openSUSE-SU-2016:0363",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
          },
          {
            "name": "FEDORA-2016-73fe05d878",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html"
          },
          {
            "name": "FEDORA-2016-cc465a34df",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html"
          },
          {
            "name": "SUSE-SU-2016:1146",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
          },
          {
            "name": "[ruby-security-ann] 20160125 [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record.",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/cawsWcQ6c8g/LATIsglZEgAJ"
          },
          {
            "name": "1034816",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1034816"
          },
          {
            "name": "81806",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/81806"
          },
          {
            "name": "DSA-3464",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2016/dsa-3464"
          },
          {
            "name": "RHSA-2016:0296",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
          },
          {
            "name": "[oss-security] 20160125 [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record.",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2016/01/25/10"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-01-25T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-09T09:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "openSUSE-SU-2016:0372",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
        },
        {
          "name": "openSUSE-SU-2016:0363",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
        },
        {
          "name": "FEDORA-2016-73fe05d878",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html"
        },
        {
          "name": "FEDORA-2016-cc465a34df",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html"
        },
        {
          "name": "SUSE-SU-2016:1146",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
        },
        {
          "name": "[ruby-security-ann] 20160125 [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record.",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/cawsWcQ6c8g/LATIsglZEgAJ"
        },
        {
          "name": "1034816",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1034816"
        },
        {
          "name": "81806",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/81806"
        },
        {
          "name": "DSA-3464",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2016/dsa-3464"
        },
        {
          "name": "RHSA-2016:0296",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
        },
        {
          "name": "[oss-security] 20160125 [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record.",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2016/01/25/10"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-7577",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "openSUSE-SU-2016:0372",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
            },
            {
              "name": "openSUSE-SU-2016:0363",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
            },
            {
              "name": "FEDORA-2016-73fe05d878",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html"
            },
            {
              "name": "FEDORA-2016-cc465a34df",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html"
            },
            {
              "name": "SUSE-SU-2016:1146",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
            },
            {
              "name": "[ruby-security-ann] 20160125 [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record.",
              "refsource": "MLIST",
              "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/cawsWcQ6c8g/LATIsglZEgAJ"
            },
            {
              "name": "1034816",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1034816"
            },
            {
              "name": "81806",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/81806"
            },
            {
              "name": "DSA-3464",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2016/dsa-3464"
            },
            {
              "name": "RHSA-2016:0296",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
            },
            {
              "name": "[oss-security] 20160125 [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record.",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2016/01/25/10"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2015-7577",
    "datePublished": "2016-02-16T02:00:00",
    "dateReserved": "2015-09-29T00:00:00",
    "dateUpdated": "2024-08-06T07:51:28.528Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2016-0752 (GCVE-0-2016-0752)

Vulnerability from nvd – Published: 2016-02-16 02:00 – Updated: 2025-10-21 23:55
VLAI?
Summary
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname.
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE
  • n/a
Assigner
References
https://www.exploit-db.com/exploits/40561/ exploitx_refsource_EXPLOIT-DB
http://lists.opensuse.org/opensuse-updates/2016-0… vendor-advisoryx_refsource_SUSE
http://lists.opensuse.org/opensuse-updates/2016-0… vendor-advisoryx_refsource_SUSE
http://www.openwall.com/lists/oss-security/2016/0… mailing-listx_refsource_MLIST
http://lists.fedoraproject.org/pipermail/package-… vendor-advisoryx_refsource_FEDORA
http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
http://www.securityfocus.com/bid/81801 vdb-entryx_refsource_BID
http://www.securitytracker.com/id/1034816 vdb-entryx_refsource_SECTRACK
http://lists.fedoraproject.org/pipermail/package-… vendor-advisoryx_refsource_FEDORA
https://groups.google.com/forum/message/raw?msg=r… mailing-listx_refsource_MLIST
http://www.debian.org/security/2016/dsa-3464 vendor-advisoryx_refsource_DEBIAN
http://rhn.redhat.com/errata/RHSA-2016-0296.html vendor-advisoryx_refsource_REDHAT
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T22:30:03.939Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "40561",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/40561/"
          },
          {
            "name": "openSUSE-SU-2016:0372",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
          },
          {
            "name": "openSUSE-SU-2016:0363",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
          },
          {
            "name": "[oss-security] 20160125 [CVE-2016-0752] Possible Information Leak Vulnerability in Action View",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2016/01/25/13"
          },
          {
            "name": "FEDORA-2016-97002ad37b",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178069.html"
          },
          {
            "name": "SUSE-SU-2016:1146",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
          },
          {
            "name": "81801",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/81801"
          },
          {
            "name": "1034816",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1034816"
          },
          {
            "name": "FEDORA-2016-fa0dec2360",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178044.html"
          },
          {
            "name": "[ruby-security-ann] 20160125 [CVE-2016-0752] Possible Information Leak Vulnerability in Action View",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ"
          },
          {
            "name": "DSA-3464",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2016/dsa-3464"
          },
          {
            "name": "RHSA-2016:0296",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2016-0752",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-07T13:26:36.145115Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2022-03-25",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-0752"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-22",
                "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:55:55.440Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-0752"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2022-03-25T00:00:00+00:00",
            "value": "CVE-2016-0752 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-01-25T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application\u0027s unrestricted use of the render method and providing a .. (dot dot) in a pathname."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-09T09:57:01.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "40561",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/40561/"
        },
        {
          "name": "openSUSE-SU-2016:0372",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
        },
        {
          "name": "openSUSE-SU-2016:0363",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
        },
        {
          "name": "[oss-security] 20160125 [CVE-2016-0752] Possible Information Leak Vulnerability in Action View",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2016/01/25/13"
        },
        {
          "name": "FEDORA-2016-97002ad37b",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178069.html"
        },
        {
          "name": "SUSE-SU-2016:1146",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
        },
        {
          "name": "81801",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/81801"
        },
        {
          "name": "1034816",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1034816"
        },
        {
          "name": "FEDORA-2016-fa0dec2360",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178044.html"
        },
        {
          "name": "[ruby-security-ann] 20160125 [CVE-2016-0752] Possible Information Leak Vulnerability in Action View",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ"
        },
        {
          "name": "DSA-3464",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2016/dsa-3464"
        },
        {
          "name": "RHSA-2016:0296",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2016-0752",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application\u0027s unrestricted use of the render method and providing a .. (dot dot) in a pathname."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "40561",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/40561/"
            },
            {
              "name": "openSUSE-SU-2016:0372",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
            },
            {
              "name": "openSUSE-SU-2016:0363",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
            },
            {
              "name": "[oss-security] 20160125 [CVE-2016-0752] Possible Information Leak Vulnerability in Action View",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2016/01/25/13"
            },
            {
              "name": "FEDORA-2016-97002ad37b",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178069.html"
            },
            {
              "name": "SUSE-SU-2016:1146",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
            },
            {
              "name": "81801",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/81801"
            },
            {
              "name": "1034816",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1034816"
            },
            {
              "name": "FEDORA-2016-fa0dec2360",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178044.html"
            },
            {
              "name": "[ruby-security-ann] 20160125 [CVE-2016-0752] Possible Information Leak Vulnerability in Action View",
              "refsource": "MLIST",
              "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ"
            },
            {
              "name": "DSA-3464",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2016/dsa-3464"
            },
            {
              "name": "RHSA-2016:0296",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2016-0752",
    "datePublished": "2016-02-16T02:00:00.000Z",
    "dateReserved": "2015-12-16T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:55:55.440Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2016-0751 (GCVE-0-2016-0751)

Vulnerability from nvd – Published: 2016-02-16 02:00 – Updated: 2024-08-05 22:30
VLAI?
Summary
actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header.
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
http://lists.opensuse.org/opensuse-updates/2016-0… vendor-advisoryx_refsource_SUSE
http://lists.opensuse.org/opensuse-updates/2016-0… vendor-advisoryx_refsource_SUSE
http://lists.fedoraproject.org/pipermail/package-… vendor-advisoryx_refsource_FEDORA
https://groups.google.com/forum/message/raw?msg=r… mailing-listx_refsource_MLIST
http://lists.fedoraproject.org/pipermail/package-… vendor-advisoryx_refsource_FEDORA
http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
http://www.securityfocus.com/bid/81800 vdb-entryx_refsource_BID
http://www.securitytracker.com/id/1034816 vdb-entryx_refsource_SECTRACK
http://www.openwall.com/lists/oss-security/2016/01/25/9 mailing-listx_refsource_MLIST
http://www.debian.org/security/2016/dsa-3464 vendor-advisoryx_refsource_DEBIAN
http://rhn.redhat.com/errata/RHSA-2016-0296.html vendor-advisoryx_refsource_REDHAT
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T22:30:03.975Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "openSUSE-SU-2016:0372",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
          },
          {
            "name": "openSUSE-SU-2016:0363",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
          },
          {
            "name": "FEDORA-2016-94e71ee673",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
          },
          {
            "name": "[ruby-security-ann] 20160125 [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9oLY_FCzvoc/5CDXbvpYEgAJ"
          },
          {
            "name": "FEDORA-2016-f486068393",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"
          },
          {
            "name": "SUSE-SU-2016:1146",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
          },
          {
            "name": "81800",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/81800"
          },
          {
            "name": "1034816",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1034816"
          },
          {
            "name": "[oss-security] 20160125 [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2016/01/25/9"
          },
          {
            "name": "DSA-3464",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2016/dsa-3464"
          },
          {
            "name": "RHSA-2016:0296",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-01-25T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-09T09:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "openSUSE-SU-2016:0372",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
        },
        {
          "name": "openSUSE-SU-2016:0363",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
        },
        {
          "name": "FEDORA-2016-94e71ee673",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
        },
        {
          "name": "[ruby-security-ann] 20160125 [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9oLY_FCzvoc/5CDXbvpYEgAJ"
        },
        {
          "name": "FEDORA-2016-f486068393",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"
        },
        {
          "name": "SUSE-SU-2016:1146",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
        },
        {
          "name": "81800",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/81800"
        },
        {
          "name": "1034816",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1034816"
        },
        {
          "name": "[oss-security] 20160125 [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2016/01/25/9"
        },
        {
          "name": "DSA-3464",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2016/dsa-3464"
        },
        {
          "name": "RHSA-2016:0296",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2016-0751",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "openSUSE-SU-2016:0372",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
            },
            {
              "name": "openSUSE-SU-2016:0363",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
            },
            {
              "name": "FEDORA-2016-94e71ee673",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
            },
            {
              "name": "[ruby-security-ann] 20160125 [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack",
              "refsource": "MLIST",
              "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9oLY_FCzvoc/5CDXbvpYEgAJ"
            },
            {
              "name": "FEDORA-2016-f486068393",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"
            },
            {
              "name": "SUSE-SU-2016:1146",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
            },
            {
              "name": "81800",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/81800"
            },
            {
              "name": "1034816",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1034816"
            },
            {
              "name": "[oss-security] 20160125 [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2016/01/25/9"
            },
            {
              "name": "DSA-3464",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2016/dsa-3464"
            },
            {
              "name": "RHSA-2016:0296",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2016-0751",
    "datePublished": "2016-02-16T02:00:00",
    "dateReserved": "2015-12-16T00:00:00",
    "dateUpdated": "2024-08-05T22:30:03.975Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2015-7576 (GCVE-0-2015-7576)

Vulnerability from nvd – Published: 2016-02-16 02:00 – Updated: 2024-08-06 07:51
VLAI?
Summary
The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
http://www.openwall.com/lists/oss-security/2016/01/25/8 mailing-listx_refsource_MLIST
http://lists.fedoraproject.org/pipermail/package-… vendor-advisoryx_refsource_FEDORA
http://lists.opensuse.org/opensuse-updates/2016-0… vendor-advisoryx_refsource_SUSE
http://lists.opensuse.org/opensuse-updates/2016-0… vendor-advisoryx_refsource_SUSE
http://lists.fedoraproject.org/pipermail/package-… vendor-advisoryx_refsource_FEDORA
http://www.securityfocus.com/bid/81803 vdb-entryx_refsource_BID
http://lists.fedoraproject.org/pipermail/package-… vendor-advisoryx_refsource_FEDORA
http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
http://www.securitytracker.com/id/1034816 vdb-entryx_refsource_SECTRACK
http://www.debian.org/security/2016/dsa-3464 vendor-advisoryx_refsource_DEBIAN
http://rhn.redhat.com/errata/RHSA-2016-0296.html vendor-advisoryx_refsource_REDHAT
http://lists.fedoraproject.org/pipermail/package-… vendor-advisoryx_refsource_FEDORA
https://groups.google.com/forum/message/raw?msg=r… mailing-listx_refsource_MLIST
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T07:51:28.554Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[oss-security] 20160125 [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2016/01/25/8"
          },
          {
            "name": "FEDORA-2016-3ede04cd79",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html"
          },
          {
            "name": "openSUSE-SU-2016:0372",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
          },
          {
            "name": "openSUSE-SU-2016:0363",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
          },
          {
            "name": "FEDORA-2016-94e71ee673",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
          },
          {
            "name": "81803",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/81803"
          },
          {
            "name": "FEDORA-2016-f486068393",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"
          },
          {
            "name": "SUSE-SU-2016:1146",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
          },
          {
            "name": "1034816",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1034816"
          },
          {
            "name": "DSA-3464",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2016/dsa-3464"
          },
          {
            "name": "RHSA-2016:0296",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
          },
          {
            "name": "FEDORA-2016-cb30088b06",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"
          },
          {
            "name": "[ruby-security-ann] 20160125 [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-01-25T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-09T09:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "[oss-security] 20160125 [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2016/01/25/8"
        },
        {
          "name": "FEDORA-2016-3ede04cd79",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html"
        },
        {
          "name": "openSUSE-SU-2016:0372",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
        },
        {
          "name": "openSUSE-SU-2016:0363",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
        },
        {
          "name": "FEDORA-2016-94e71ee673",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
        },
        {
          "name": "81803",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/81803"
        },
        {
          "name": "FEDORA-2016-f486068393",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"
        },
        {
          "name": "SUSE-SU-2016:1146",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
        },
        {
          "name": "1034816",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1034816"
        },
        {
          "name": "DSA-3464",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2016/dsa-3464"
        },
        {
          "name": "RHSA-2016:0296",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
        },
        {
          "name": "FEDORA-2016-cb30088b06",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"
        },
        {
          "name": "[ruby-security-ann] 20160125 [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-7576",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[oss-security] 20160125 [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2016/01/25/8"
            },
            {
              "name": "FEDORA-2016-3ede04cd79",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html"
            },
            {
              "name": "openSUSE-SU-2016:0372",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
            },
            {
              "name": "openSUSE-SU-2016:0363",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
            },
            {
              "name": "FEDORA-2016-94e71ee673",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
            },
            {
              "name": "81803",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/81803"
            },
            {
              "name": "FEDORA-2016-f486068393",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"
            },
            {
              "name": "SUSE-SU-2016:1146",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
            },
            {
              "name": "1034816",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1034816"
            },
            {
              "name": "DSA-3464",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2016/dsa-3464"
            },
            {
              "name": "RHSA-2016:0296",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
            },
            {
              "name": "FEDORA-2016-cb30088b06",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"
            },
            {
              "name": "[ruby-security-ann] 20160125 [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.",
              "refsource": "MLIST",
              "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2015-7576",
    "datePublished": "2016-02-16T02:00:00",
    "dateReserved": "2015-09-29T00:00:00",
    "dateUpdated": "2024-08-06T07:51:28.554Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2015-3226 (GCVE-0-2015-3226)

Vulnerability from nvd – Published: 2015-07-26 22:00 – Updated: 2024-08-06 05:39
VLAI?
Summary
Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding.
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
http://www.securitytracker.com/id/1033755 vdb-entryx_refsource_SECTRACK
https://groups.google.com/forum/message/raw?msg=r… mailing-listx_refsource_MLIST
http://www.securityfocus.com/bid/75231 vdb-entryx_refsource_BID
http://openwall.com/lists/oss-security/2015/06/16/17 mailing-listx_refsource_MLIST
http://www.debian.org/security/2016/dsa-3464 vendor-advisoryx_refsource_DEBIAN
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T05:39:32.141Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "1033755",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1033755"
          },
          {
            "name": "[rubyonrails-security] 20150616 [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ"
          },
          {
            "name": "75231",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/75231"
          },
          {
            "name": "[oss-security] 20150616 [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://openwall.com/lists/oss-security/2015/06/16/17"
          },
          {
            "name": "DSA-3464",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2016/dsa-3464"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-06-16T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-15T09:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "1033755",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1033755"
        },
        {
          "name": "[rubyonrails-security] 20150616 [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ"
        },
        {
          "name": "75231",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/75231"
        },
        {
          "name": "[oss-security] 20150616 [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://openwall.com/lists/oss-security/2015/06/16/17"
        },
        {
          "name": "DSA-3464",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2016/dsa-3464"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-3226",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "1033755",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1033755"
            },
            {
              "name": "[rubyonrails-security] 20150616 [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode",
              "refsource": "MLIST",
              "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ"
            },
            {
              "name": "75231",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/75231"
            },
            {
              "name": "[oss-security] 20150616 [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode",
              "refsource": "MLIST",
              "url": "http://openwall.com/lists/oss-security/2015/06/16/17"
            },
            {
              "name": "DSA-3464",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2016/dsa-3464"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2015-3226",
    "datePublished": "2015-07-26T22:00:00",
    "dateReserved": "2015-04-10T00:00:00",
    "dateUpdated": "2024-08-06T05:39:32.141Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}