Search criteria

3 vulnerabilities by david_hansson

CVE-2009-2422 (GCVE-0-2009-2422)

Vulnerability from cvelistv5 – Published: 2009-07-10 15:00 – Updated: 2024-08-07 05:52
VLAI?
Summary
The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password.
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T05:52:14.795Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "35702",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/35702"
          },
          {
            "name": "35579",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/35579"
          },
          {
            "name": "APPLE-SA-2010-03-29-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_APPLE",
              "x_transferred"
            ],
            "url": "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest"
          },
          {
            "name": "ADV-2009-1802",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2009/1802"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://support.apple.com/kb/HT4077"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s"
          },
          {
            "name": "rubyonrails-validatedigest-sec-bypass(51528)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/51528"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2009-06-03T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-08-16T14:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "35702",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/35702"
        },
        {
          "name": "35579",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/35579"
        },
        {
          "name": "APPLE-SA-2010-03-29-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_APPLE"
          ],
          "url": "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest"
        },
        {
          "name": "ADV-2009-1802",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2009/1802"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://support.apple.com/kb/HT4077"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s"
        },
        {
          "name": "rubyonrails-validatedigest-sec-bypass(51528)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/51528"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2009-2422",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "35702",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/35702"
            },
            {
              "name": "35579",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/35579"
            },
            {
              "name": "APPLE-SA-2010-03-29-1",
              "refsource": "APPLE",
              "url": "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html"
            },
            {
              "name": "http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest",
              "refsource": "CONFIRM",
              "url": "http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest"
            },
            {
              "name": "ADV-2009-1802",
              "refsource": "VUPEN",
              "url": "http://www.vupen.com/english/advisories/2009/1802"
            },
            {
              "name": "http://support.apple.com/kb/HT4077",
              "refsource": "CONFIRM",
              "url": "http://support.apple.com/kb/HT4077"
            },
            {
              "name": "http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s",
              "refsource": "MISC",
              "url": "http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s"
            },
            {
              "name": "rubyonrails-validatedigest-sec-bypass(51528)",
              "refsource": "XF",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/51528"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2009-2422",
    "datePublished": "2009-07-10T15:00:00",
    "dateReserved": "2009-07-10T00:00:00",
    "dateUpdated": "2024-08-07T05:52:14.795Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2007-5380 (GCVE-0-2007-5380)

Vulnerability from cvelistv5 – Published: 2007-10-19 23:00 – Updated: 2024-08-07 15:31
VLAI?
Summary
Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to "URL-based sessions."
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
http://secunia.com/advisories/27965 third-party-advisoryx_refsource_SECUNIA
http://www.vupen.com/english/advisories/2007/4238 vdb-entryx_refsource_VUPEN
http://www.vupen.com/english/advisories/2007/3508 vdb-entryx_refsource_VUPEN
http://www.us-cert.gov/cas/techalerts/TA07-352A.html third-party-advisoryx_refsource_CERT
http://secunia.com/advisories/28136 third-party-advisoryx_refsource_SECUNIA
http://www.securityfocus.com/bid/26096 vdb-entryx_refsource_BID
http://security.gentoo.org/glsa/glsa-200711-17.xml vendor-advisoryx_refsource_GENTOO
http://bugs.gentoo.org/show_bug.cgi?id=195315 x_refsource_CONFIRM
http://www.novell.com/linux/security/advisories/2… vendor-advisoryx_refsource_SUSE
http://weblog.rubyonrails.org/2007/10/5/rails-1-2… x_refsource_CONFIRM
http://lists.apple.com/archives/security-announce… vendor-advisoryx_refsource_APPLE
http://docs.info.apple.com/article.html?artnum=307179 x_refsource_CONFIRM
http://secunia.com/advisories/27657 third-party-advisoryx_refsource_SECUNIA
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T15:31:58.474Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "27965",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/27965"
          },
          {
            "name": "ADV-2007-4238",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2007/4238"
          },
          {
            "name": "ADV-2007-3508",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2007/3508"
          },
          {
            "name": "TA07-352A",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT",
              "x_transferred"
            ],
            "url": "http://www.us-cert.gov/cas/techalerts/TA07-352A.html"
          },
          {
            "name": "28136",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/28136"
          },
          {
            "name": "26096",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/26096"
          },
          {
            "name": "GLSA-200711-17",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "http://security.gentoo.org/glsa/glsa-200711-17.xml"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://bugs.gentoo.org/show_bug.cgi?id=195315"
          },
          {
            "name": "SUSE-SR:2007:025",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://www.novell.com/linux/security/advisories/2007_25_sr.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release"
          },
          {
            "name": "APPLE-SA-2007-12-17",
            "tags": [
              "vendor-advisory",
              "x_refsource_APPLE",
              "x_transferred"
            ],
            "url": "http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://docs.info.apple.com/article.html?artnum=307179"
          },
          {
            "name": "27657",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/27657"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2007-10-05T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to \"URL-based sessions.\""
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2007-11-17T10:00:00",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "27965",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/27965"
        },
        {
          "name": "ADV-2007-4238",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2007/4238"
        },
        {
          "name": "ADV-2007-3508",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2007/3508"
        },
        {
          "name": "TA07-352A",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT"
          ],
          "url": "http://www.us-cert.gov/cas/techalerts/TA07-352A.html"
        },
        {
          "name": "28136",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/28136"
        },
        {
          "name": "26096",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/26096"
        },
        {
          "name": "GLSA-200711-17",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "http://security.gentoo.org/glsa/glsa-200711-17.xml"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://bugs.gentoo.org/show_bug.cgi?id=195315"
        },
        {
          "name": "SUSE-SR:2007:025",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://www.novell.com/linux/security/advisories/2007_25_sr.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release"
        },
        {
          "name": "APPLE-SA-2007-12-17",
          "tags": [
            "vendor-advisory",
            "x_refsource_APPLE"
          ],
          "url": "http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://docs.info.apple.com/article.html?artnum=307179"
        },
        {
          "name": "27657",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/27657"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2007-5380",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to \"URL-based sessions.\""
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "27965",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/27965"
            },
            {
              "name": "ADV-2007-4238",
              "refsource": "VUPEN",
              "url": "http://www.vupen.com/english/advisories/2007/4238"
            },
            {
              "name": "ADV-2007-3508",
              "refsource": "VUPEN",
              "url": "http://www.vupen.com/english/advisories/2007/3508"
            },
            {
              "name": "TA07-352A",
              "refsource": "CERT",
              "url": "http://www.us-cert.gov/cas/techalerts/TA07-352A.html"
            },
            {
              "name": "28136",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/28136"
            },
            {
              "name": "26096",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/26096"
            },
            {
              "name": "GLSA-200711-17",
              "refsource": "GENTOO",
              "url": "http://security.gentoo.org/glsa/glsa-200711-17.xml"
            },
            {
              "name": "http://bugs.gentoo.org/show_bug.cgi?id=195315",
              "refsource": "CONFIRM",
              "url": "http://bugs.gentoo.org/show_bug.cgi?id=195315"
            },
            {
              "name": "SUSE-SR:2007:025",
              "refsource": "SUSE",
              "url": "http://www.novell.com/linux/security/advisories/2007_25_sr.html"
            },
            {
              "name": "http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release",
              "refsource": "CONFIRM",
              "url": "http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release"
            },
            {
              "name": "APPLE-SA-2007-12-17",
              "refsource": "APPLE",
              "url": "http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html"
            },
            {
              "name": "http://docs.info.apple.com/article.html?artnum=307179",
              "refsource": "CONFIRM",
              "url": "http://docs.info.apple.com/article.html?artnum=307179"
            },
            {
              "name": "27657",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/27657"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2007-5380",
    "datePublished": "2007-10-19T23:00:00",
    "dateReserved": "2007-10-11T00:00:00",
    "dateUpdated": "2024-08-07T15:31:58.474Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2007-5379 (GCVE-0-2007-5379)

Vulnerability from cvelistv5 – Published: 2007-10-19 23:00 – Updated: 2024-08-07 15:31
VLAI?
Summary
Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file.
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
http://www.vupen.com/english/advisories/2007/4238 vdb-entryx_refsource_VUPEN
http://www.vupen.com/english/advisories/2007/3508 vdb-entryx_refsource_VUPEN
http://www.us-cert.gov/cas/techalerts/TA07-352A.html third-party-advisoryx_refsource_CERT
http://secunia.com/advisories/28136 third-party-advisoryx_refsource_SECUNIA
http://www.securityfocus.com/bid/26096 vdb-entryx_refsource_BID
http://security.gentoo.org/glsa/glsa-200711-17.xml vendor-advisoryx_refsource_GENTOO
http://osvdb.org/40717 vdb-entryx_refsource_OSVDB
http://bugs.gentoo.org/show_bug.cgi?id=195315 x_refsource_CONFIRM
http://weblog.rubyonrails.org/2007/10/5/rails-1-2… x_refsource_CONFIRM
http://lists.apple.com/archives/security-announce… vendor-advisoryx_refsource_APPLE
http://docs.info.apple.com/article.html?artnum=307179 x_refsource_CONFIRM
http://secunia.com/advisories/27657 third-party-advisoryx_refsource_SECUNIA
http://dev.rubyonrails.org/ticket/8453 x_refsource_CONFIRM
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T15:31:59.017Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "ADV-2007-4238",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2007/4238"
          },
          {
            "name": "ADV-2007-3508",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2007/3508"
          },
          {
            "name": "TA07-352A",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT",
              "x_transferred"
            ],
            "url": "http://www.us-cert.gov/cas/techalerts/TA07-352A.html"
          },
          {
            "name": "28136",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/28136"
          },
          {
            "name": "26096",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/26096"
          },
          {
            "name": "GLSA-200711-17",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "http://security.gentoo.org/glsa/glsa-200711-17.xml"
          },
          {
            "name": "40717",
            "tags": [
              "vdb-entry",
              "x_refsource_OSVDB",
              "x_transferred"
            ],
            "url": "http://osvdb.org/40717"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://bugs.gentoo.org/show_bug.cgi?id=195315"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release"
          },
          {
            "name": "APPLE-SA-2007-12-17",
            "tags": [
              "vendor-advisory",
              "x_refsource_APPLE",
              "x_transferred"
            ],
            "url": "http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://docs.info.apple.com/article.html?artnum=307179"
          },
          {
            "name": "27657",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/27657"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://dev.rubyonrails.org/ticket/8453"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2007-10-05T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2007-11-17T10:00:00",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "ADV-2007-4238",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2007/4238"
        },
        {
          "name": "ADV-2007-3508",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2007/3508"
        },
        {
          "name": "TA07-352A",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT"
          ],
          "url": "http://www.us-cert.gov/cas/techalerts/TA07-352A.html"
        },
        {
          "name": "28136",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/28136"
        },
        {
          "name": "26096",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/26096"
        },
        {
          "name": "GLSA-200711-17",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "http://security.gentoo.org/glsa/glsa-200711-17.xml"
        },
        {
          "name": "40717",
          "tags": [
            "vdb-entry",
            "x_refsource_OSVDB"
          ],
          "url": "http://osvdb.org/40717"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://bugs.gentoo.org/show_bug.cgi?id=195315"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release"
        },
        {
          "name": "APPLE-SA-2007-12-17",
          "tags": [
            "vendor-advisory",
            "x_refsource_APPLE"
          ],
          "url": "http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://docs.info.apple.com/article.html?artnum=307179"
        },
        {
          "name": "27657",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/27657"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://dev.rubyonrails.org/ticket/8453"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2007-5379",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "ADV-2007-4238",
              "refsource": "VUPEN",
              "url": "http://www.vupen.com/english/advisories/2007/4238"
            },
            {
              "name": "ADV-2007-3508",
              "refsource": "VUPEN",
              "url": "http://www.vupen.com/english/advisories/2007/3508"
            },
            {
              "name": "TA07-352A",
              "refsource": "CERT",
              "url": "http://www.us-cert.gov/cas/techalerts/TA07-352A.html"
            },
            {
              "name": "28136",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/28136"
            },
            {
              "name": "26096",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/26096"
            },
            {
              "name": "GLSA-200711-17",
              "refsource": "GENTOO",
              "url": "http://security.gentoo.org/glsa/glsa-200711-17.xml"
            },
            {
              "name": "40717",
              "refsource": "OSVDB",
              "url": "http://osvdb.org/40717"
            },
            {
              "name": "http://bugs.gentoo.org/show_bug.cgi?id=195315",
              "refsource": "CONFIRM",
              "url": "http://bugs.gentoo.org/show_bug.cgi?id=195315"
            },
            {
              "name": "http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release",
              "refsource": "CONFIRM",
              "url": "http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release"
            },
            {
              "name": "APPLE-SA-2007-12-17",
              "refsource": "APPLE",
              "url": "http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html"
            },
            {
              "name": "http://docs.info.apple.com/article.html?artnum=307179",
              "refsource": "CONFIRM",
              "url": "http://docs.info.apple.com/article.html?artnum=307179"
            },
            {
              "name": "27657",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/27657"
            },
            {
              "name": "http://dev.rubyonrails.org/ticket/8453",
              "refsource": "CONFIRM",
              "url": "http://dev.rubyonrails.org/ticket/8453"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2007-5379",
    "datePublished": "2007-10-19T23:00:00",
    "dateReserved": "2007-10-11T00:00:00",
    "dateUpdated": "2024-08-07T15:31:59.017Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}