Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2015-3226 (GCVE-0-2015-3226)
Vulnerability from cvelistv5 – Published: 2015-07-26 22:00 – Updated: 2024-08-06 05:39
VLAI
EPSS
Summary
Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
5 references
| URL | Tags |
|---|---|
| http://www.securitytracker.com/id/1033755 | vdb-entryx_refsource_SECTRACK |
| https://groups.google.com/forum/message/raw?msg=r… | mailing-listx_refsource_MLIST |
| http://www.securityfocus.com/bid/75231 | vdb-entryx_refsource_BID |
| http://openwall.com/lists/oss-security/2015/06/16/17 | mailing-listx_refsource_MLIST |
| http://www.debian.org/security/2016/dsa-3464 | vendor-advisoryx_refsource_DEBIAN |
Date Public
2015-06-16 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:39:32.141Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "1033755",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1033755"
},
{
"name": "[rubyonrails-security] 20150616 [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ"
},
{
"name": "75231",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/75231"
},
{
"name": "[oss-security] 20150616 [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2015/06/16/17"
},
{
"name": "DSA-3464",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3464"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-06-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-15T09:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "1033755",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1033755"
},
{
"name": "[rubyonrails-security] 20150616 [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ"
},
{
"name": "75231",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/75231"
},
{
"name": "[oss-security] 20150616 [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2015/06/16/17"
},
{
"name": "DSA-3464",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2016/dsa-3464"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-3226",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "1033755",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1033755"
},
{
"name": "[rubyonrails-security] 20150616 [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode",
"refsource": "MLIST",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ"
},
{
"name": "75231",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/75231"
},
{
"name": "[oss-security] 20150616 [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2015/06/16/17"
},
{
"name": "DSA-3464",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2016/dsa-3464"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-3226",
"datePublished": "2015-07-26T22:00:00.000Z",
"dateReserved": "2015-04-10T00:00:00.000Z",
"dateUpdated": "2024-08-06T05:39:32.141Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2015-3226",
"date": "2026-06-02",
"epss": "0.00212",
"percentile": "0.43683"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E3BE7DFE-BA20-434B-A1DE-AD038B255C60\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2816C02C-E13E-4367-91F3-14756A90EC9E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"32EB2C3F-0F24-43DB-988E-BD2973598F71\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"96D08DC1-14E9-4DB9-BC95-3F73B454FBC4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F365C9E5-27DC-46C3-AFE4-4876EC7B352B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6F0016A6-0ED6-443D-B969-CB1226D8E28C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E69470EA-5EBC-4FB9-A722-5B61C70C1140\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B13A8EBB-4211-4AB1-8872-244EEEE20ABD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C9AB2152-DED8-4CFD-B915-94A9F56FDD05\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C630AB60-DBAF-421E-B663-492BAE8A180F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0F41CCF8-14EB-4327-A675-83BFDBB53196\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:3.2.13:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"75842F7D-B1B1-48BA-858F-01148867B3AA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:3.2.15:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C0406FF0-30F5-40E2-B9B8-FE465D923DE4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:3.2.16:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"50F51980-EAD9-4E4D-A2E7-1FACFA80AAB0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:3.2.17:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CC02A7D1-CB1A-4793-86E3-CF88D0BCDF83\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0B7A927B-7E18-44B5-9307-E602790F8AB7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EAB8D57F-9849-428C-B8E9-D0A1020728BB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B0359DA8-6B41-46C5-AA95-41B1B366DD4A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"847B3C3D-8656-404D-A954-09C159EDC8E2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"65CA2D50-B33C-4088-BDDF-EB964C9A092C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CADB5989-5260-4F60-ACF2-BEB6D7F97654\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9036E3C7-0AD5-489D-BCEE-31DFE13F5ADA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"539C550D-FEDD-415E-95AE-40E1AE2BAF1A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"59C5B869-74FC-4051-A103-A721332B3CF2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9A68D41F-36A9-4B77-814D-996F4E48FA79\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"83F1142C-3BFB-4B72-A033-81E20DB19D02\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A325F57E-0055-4279-9ED7-A26E75FC38E5\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding.\"}, {\"lang\": \"es\", \"value\": \"Vulnerabilidad XSS en json/encoding.rb en Active Support en Ruby on Rails en las versiones 3.x, 4.1.x anterior a 4.1.11 y 4.2 anterior a 4.2.2, permite a atacantes remotos inyectar c\\u00f3digo arbitrario HTML o web script a trav\\u00e9s de un Hash manipulado que no es manejado correctamente durante la codificaci\\u00f3n JSON.\"}]",
"id": "CVE-2015-3226",
"lastModified": "2024-11-21T02:28:56.833",
"metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
"published": "2015-07-26T22:59:05.133",
"references": "[{\"url\": \"http://openwall.com/lists/oss-security/2015/06/16/17\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.debian.org/security/2016/dsa-3464\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.securityfocus.com/bid/75231\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.securitytracker.com/id/1033755\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://openwall.com/lists/oss-security/2015/06/16/17\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.debian.org/security/2016/dsa-3464\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/bid/75231\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securitytracker.com/id/1033755\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2015-3226\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2015-07-26T22:59:05.133\",\"lastModified\":\"2026-05-06T22:30:45.220\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad XSS en json/encoding.rb en Active Support en Ruby on Rails en las versiones 3.x, 4.1.x anterior a 4.1.11 y 4.2 anterior a 4.2.2, permite a atacantes remotos inyectar c\u00f3digo arbitrario HTML o web script a trav\u00e9s de un Hash manipulado que no es manejado correctamente durante la codificaci\u00f3n JSON.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E3BE7DFE-BA20-434B-A1DE-AD038B255C60\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2816C02C-E13E-4367-91F3-14756A90EC9E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"32EB2C3F-0F24-43DB-988E-BD2973598F71\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"96D08DC1-14E9-4DB9-BC95-3F73B454FBC4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F365C9E5-27DC-46C3-AFE4-4876EC7B352B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6F0016A6-0ED6-443D-B969-CB1226D8E28C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E69470EA-5EBC-4FB9-A722-5B61C70C1140\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B13A8EBB-4211-4AB1-8872-244EEEE20ABD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C9AB2152-DED8-4CFD-B915-94A9F56FDD05\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C630AB60-DBAF-421E-B663-492BAE8A180F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0F41CCF8-14EB-4327-A675-83BFDBB53196\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.13:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"75842F7D-B1B1-48BA-858F-01148867B3AA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.15:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C0406FF0-30F5-40E2-B9B8-FE465D923DE4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.16:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"50F51980-EAD9-4E4D-A2E7-1FACFA80AAB0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.17:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CC02A7D1-CB1A-4793-86E3-CF88D0BCDF83\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0B7A927B-7E18-44B5-9307-E602790F8AB7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EAB8D57F-9849-428C-B8E9-D0A1020728BB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B0359DA8-6B41-46C5-AA95-41B1B366DD4A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"847B3C3D-8656-404D-A954-09C159EDC8E2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"65CA2D50-B33C-4088-BDDF-EB964C9A092C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CADB5989-5260-4F60-ACF2-BEB6D7F97654\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9036E3C7-0AD5-489D-BCEE-31DFE13F5ADA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"539C550D-FEDD-415E-95AE-40E1AE2BAF1A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"59C5B869-74FC-4051-A103-A721332B3CF2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9A68D41F-36A9-4B77-814D-996F4E48FA79\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"83F1142C-3BFB-4B72-A033-81E20DB19D02\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A325F57E-0055-4279-9ED7-A26E75FC38E5\"}]}]}],\"references\":[{\"url\":\"http://openwall.com/lists/oss-security/2015/06/16/17\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.debian.org/security/2016/dsa-3464\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.securityfocus.com/bid/75231\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.securitytracker.com/id/1033755\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://openwall.com/lists/oss-security/2015/06/16/17\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.debian.org/security/2016/dsa-3464\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/75231\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securitytracker.com/id/1033755\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
Title
JSON 'ActiveSupport::JSON.encode()'函数跨站脚本漏洞
Description
JSON是一种轻量级的数据交换语言,它是Javascript的一个子集,且采用完全独立于语言的文本格式。
JSON中存在跨站脚本漏洞,远程攻击者可以利用漏洞构建恶意URI,诱使用户解析,可获得敏感Cookie,劫持会话或在客户端上进行恶意操作。
Severity
中
Patch Name
JSON 'ActiveSupport::JSON.encode()'函数跨站脚本漏洞的补丁
Patch Description
JSON是一种轻量级的数据交换语言,它是Javascript的一个子集,且采用完全独立于语言的文本格式。JSON中存在跨站脚本漏洞,远程攻击者可以利用漏洞构建恶意URI,诱使用户解析,可获得敏感Cookie,劫持会话或在客户端上进行恶意操作。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
用户可参考如下厂商提供的安全公告获取补丁以修复该漏洞: http://weblog.rubyonrails.org/2015/6/16/Rails-3-2-22-4-1-11-and-4-2-2-have-been-released-and-more/
Reference
http://www.securityfocus.com/bid/75231
Impacted products
| Name | JSON JSON |
|---|
{
"bids": {
"bid": {
"bidNumber": "75231"
}
},
"cves": {
"cve": {
"cveNumber": "CVE-2015-3226"
}
},
"description": "JSON\u662f\u4e00\u79cd\u8f7b\u91cf\u7ea7\u7684\u6570\u636e\u4ea4\u6362\u8bed\u8a00\uff0c\u5b83\u662fJavascript\u7684\u4e00\u4e2a\u5b50\u96c6\uff0c\u4e14\u91c7\u7528\u5b8c\u5168\u72ec\u7acb\u4e8e\u8bed\u8a00\u7684\u6587\u672c\u683c\u5f0f\u3002\r\n\r\nJSON\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u6784\u5efa\u6076\u610fURI\uff0c\u8bf1\u4f7f\u7528\u6237\u89e3\u6790\uff0c\u53ef\u83b7\u5f97\u654f\u611fCookie\uff0c\u52ab\u6301\u4f1a\u8bdd\u6216\u5728\u5ba2\u6237\u7aef\u4e0a\u8fdb\u884c\u6076\u610f\u64cd\u4f5c\u3002",
"discovererName": "Francois Chagnon of Shopify",
"formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u53d6\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a\r\nhttp://weblog.rubyonrails.org/2015/6/16/Rails-3-2-22-4-1-11-and-4-2-2-have-been-released-and-more/",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2015-04089",
"openTime": "2015-06-30",
"patchDescription": "JSON\u662f\u4e00\u79cd\u8f7b\u91cf\u7ea7\u7684\u6570\u636e\u4ea4\u6362\u8bed\u8a00\uff0c\u5b83\u662fJavascript\u7684\u4e00\u4e2a\u5b50\u96c6\uff0c\u4e14\u91c7\u7528\u5b8c\u5168\u72ec\u7acb\u4e8e\u8bed\u8a00\u7684\u6587\u672c\u683c\u5f0f\u3002JSON\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u6784\u5efa\u6076\u610fURI\uff0c\u8bf1\u4f7f\u7528\u6237\u89e3\u6790\uff0c\u53ef\u83b7\u5f97\u654f\u611fCookie\uff0c\u52ab\u6301\u4f1a\u8bdd\u6216\u5728\u5ba2\u6237\u7aef\u4e0a\u8fdb\u884c\u6076\u610f\u64cd\u4f5c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "JSON \u0027ActiveSupport::JSON.encode()\u0027\u51fd\u6570\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": "JSON JSON"
},
"referenceLink": "http://www.securityfocus.com/bid/75231",
"serverity": "\u4e2d",
"submitTime": "2015-06-26",
"title": "JSON \u0027ActiveSupport::JSON.encode()\u0027\u51fd\u6570\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}
FKIE_CVE-2015-3226
Vulnerability from fkie_nvd - Published: 2015-07-26 22:59 - Updated: 2026-05-06 22:30
Severity
Summary
Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.1.0 | |
| rubyonrails | rails | 3.2.0 | |
| rubyonrails | rails | 3.2.1 | |
| rubyonrails | rails | 3.2.2 | |
| rubyonrails | rails | 3.2.3 | |
| rubyonrails | rails | 3.2.4 | |
| rubyonrails | rails | 3.2.5 | |
| rubyonrails | rails | 3.2.6 | |
| rubyonrails | rails | 3.2.7 | |
| rubyonrails | rails | 3.2.8 | |
| rubyonrails | rails | 3.2.9 | |
| rubyonrails | rails | 3.2.10 | |
| rubyonrails | rails | 3.2.11 | |
| rubyonrails | rails | 3.2.12 | |
| rubyonrails | rails | 3.2.13 | |
| rubyonrails | rails | 3.2.15 | |
| rubyonrails | rails | 3.2.16 | |
| rubyonrails | rails | 3.2.17 | |
| rubyonrails | rails | 4.1.0 | |
| rubyonrails | rails | 4.1.1 | |
| rubyonrails | rails | 4.1.2 | |
| rubyonrails | rails | 4.1.3 | |
| rubyonrails | rails | 4.1.4 | |
| rubyonrails | rails | 4.1.5 | |
| rubyonrails | rails | 4.1.6 | |
| rubyonrails | rails | 4.1.7 | |
| rubyonrails | rails | 4.1.8 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | ruby_on_rails | 3.2.14 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F365C9E5-27DC-46C3-AFE4-4876EC7B352B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6F0016A6-0ED6-443D-B969-CB1226D8E28C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "E69470EA-5EBC-4FB9-A722-5B61C70C1140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B13A8EBB-4211-4AB1-8872-244EEEE20ABD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C9AB2152-DED8-4CFD-B915-94A9F56FDD05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "C630AB60-DBAF-421E-B663-492BAE8A180F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "0F41CCF8-14EB-4327-A675-83BFDBB53196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "75842F7D-B1B1-48BA-858F-01148867B3AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.15:*:*:*:*:*:*:*",
"matchCriteriaId": "C0406FF0-30F5-40E2-B9B8-FE465D923DE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.16:*:*:*:*:*:*:*",
"matchCriteriaId": "50F51980-EAD9-4E4D-A2E7-1FACFA80AAB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.17:*:*:*:*:*:*:*",
"matchCriteriaId": "CC02A7D1-CB1A-4793-86E3-CF88D0BCDF83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0B7A927B-7E18-44B5-9307-E602790F8AB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EAB8D57F-9849-428C-B8E9-D0A1020728BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B0359DA8-6B41-46C5-AA95-41B1B366DD4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "847B3C3D-8656-404D-A954-09C159EDC8E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "65CA2D50-B33C-4088-BDDF-EB964C9A092C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "CADB5989-5260-4F60-ACF2-BEB6D7F97654",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "9036E3C7-0AD5-489D-BCEE-31DFE13F5ADA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "539C550D-FEDD-415E-95AE-40E1AE2BAF1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "59C5B869-74FC-4051-A103-A721332B3CF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9A68D41F-36A9-4B77-814D-996F4E48FA79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "83F1142C-3BFB-4B72-A033-81E20DB19D02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A325F57E-0055-4279-9ED7-A26E75FC38E5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding."
},
{
"lang": "es",
"value": "Vulnerabilidad XSS en json/encoding.rb en Active Support en Ruby on Rails en las versiones 3.x, 4.1.x anterior a 4.1.11 y 4.2 anterior a 4.2.2, permite a atacantes remotos inyectar c\u00f3digo arbitrario HTML o web script a trav\u00e9s de un Hash manipulado que no es manejado correctamente durante la codificaci\u00f3n JSON."
}
],
"id": "CVE-2015-3226",
"lastModified": "2026-05-06T22:30:45.220",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2015-07-26T22:59:05.133",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://openwall.com/lists/oss-security/2015/06/16/17"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/75231"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1033755"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2015/06/16/17"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/75231"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1033755"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-VXVP-4XWC-JPP6
Vulnerability from github – Published: 2017-10-24 18:33 – Updated: 2025-11-04 20:42
VLAI
Summary
activesupport Cross-site Scripting vulnerability
Details
Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "activesupport"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0"
},
{
"fixed": "4.1.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "activesupport"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0"
},
{
"fixed": "4.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2015-3226"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:59:02Z",
"nvd_published_at": "2015-07-26T22:59:05Z",
"severity": "MODERATE"
},
"details": "Cross-site scripting (XSS) vulnerability in `json/encoding.rb` in Active Support in Ruby on Rails 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding.",
"id": "GHSA-vxvp-4xwc-jpp6",
"modified": "2025-11-04T20:42:18Z",
"published": "2017-10-24T18:33:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3226"
},
{
"type": "PACKAGE",
"url": "https://github.com/rails/rails"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/rubyonrails-core/c/qBUqVlXERag/m/kuH3wQk1kxUJ"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20200228033946/http://www.securityfocus.com/bid/75231"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20200517005133/http://www.securitytracker.com/id/1033755"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2015/06/16/17"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2016/dsa-3464"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "activesupport Cross-site Scripting vulnerability"
}
GSD-2015-3226
Vulnerability from gsd - Updated: 2015-06-16 00:00Details
When a `Hash` containing user-controlled data is encode as JSON (either through
`Hash#to_json` or `ActiveSupport::JSON.encode`), Rails does not perform adequate
escaping that matches the guarantee implied by the `escape_html_entities_in_json`
option (which is enabled by default). If this resulting JSON string is subsequently
inserted directly into an HTML page, the page will be vulnerable to XSS attacks.
For example, the following code snippet is vulnerable to this attack:
<%= javascript_tag "var data = #{user_supplied_data.to_json};" %>
Similarly, the following is also vulnerable:
<script>
var data = <%= ActiveSupport::JSON.encode(user_supplied_data).html_safe %>;
</script>
All applications that renders JSON-encoded strings that contains user-controlled
data in their views should either upgrade to one of the FIXED versions or use
the suggested workaround immediately.
Workarounds
-----------
To work around this problem add an initializer with the following code:
module ActiveSupport
module JSON
module Encoding
private
class EscapedString
def to_s
self
end
end
end
end
end
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2015-3226",
"description": "Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding.",
"id": "GSD-2015-3226",
"references": [
"https://www.suse.com/security/cve/CVE-2015-3226.html",
"https://www.debian.org/security/2016/dsa-3464"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "activesupport",
"purl": "pkg:gem/activesupport"
}
}
],
"aliases": [
"CVE-2015-3226",
"GHSA-vxvp-4xwc-jpp6"
],
"details": "When a `Hash` containing user-controlled data is encode as JSON (either through\n`Hash#to_json` or `ActiveSupport::JSON.encode`), Rails does not perform adequate\nescaping that matches the guarantee implied by the `escape_html_entities_in_json`\noption (which is enabled by default). If this resulting JSON string is subsequently\ninserted directly into an HTML page, the page will be vulnerable to XSS attacks.\n\nFor example, the following code snippet is vulnerable to this attack:\n\n \u003c%= javascript_tag \"var data = #{user_supplied_data.to_json};\" %\u003e\n\nSimilarly, the following is also vulnerable:\n\n \u003cscript\u003e\n var data = \u003c%= ActiveSupport::JSON.encode(user_supplied_data).html_safe %\u003e;\n \u003c/script\u003e\n\nAll applications that renders JSON-encoded strings that contains user-controlled\ndata in their views should either upgrade to one of the FIXED versions or use\nthe suggested workaround immediately.\n\nWorkarounds\n-----------\nTo work around this problem add an initializer with the following code:\n\n module ActiveSupport\n module JSON\n module Encoding\n private\n class EscapedString\n def to_s\n self\n end\n end\n end\n end\n end\n",
"id": "GSD-2015-3226",
"modified": "2015-06-16T00:00:00.000Z",
"published": "2015-06-16T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/ruby-security-ann/7VlB_pck3hU"
}
],
"schema_version": "1.4.0",
"summary": "XSS Vulnerability in ActiveSupport::JSON.encode"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-3226",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "1033755",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1033755"
},
{
"name": "[rubyonrails-security] 20150616 [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode",
"refsource": "MLIST",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ"
},
{
"name": "75231",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/75231"
},
{
"name": "[oss-security] 20150616 [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2015/06/16/17"
},
{
"name": "DSA-3464",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2016/dsa-3464"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2015-3226",
"date": "2015-06-16",
"description": "When a `Hash` containing user-controlled data is encode as JSON (either through\n`Hash#to_json` or `ActiveSupport::JSON.encode`), Rails does not perform adequate\nescaping that matches the guarantee implied by the `escape_html_entities_in_json`\noption (which is enabled by default). If this resulting JSON string is subsequently\ninserted directly into an HTML page, the page will be vulnerable to XSS attacks.\n\nFor example, the following code snippet is vulnerable to this attack:\n\n \u003c%= javascript_tag \"var data = #{user_supplied_data.to_json};\" %\u003e\n\nSimilarly, the following is also vulnerable:\n\n \u003cscript\u003e\n var data = \u003c%= ActiveSupport::JSON.encode(user_supplied_data).html_safe %\u003e;\n \u003c/script\u003e\n\nAll applications that renders JSON-encoded strings that contains user-controlled\ndata in their views should either upgrade to one of the FIXED versions or use\nthe suggested workaround immediately.\n\nWorkarounds\n-----------\nTo work around this problem add an initializer with the following code:\n\n module ActiveSupport\n module JSON\n module Encoding\n private\n class EscapedString\n def to_s\n self\n end\n end\n end\n end\n end\n",
"framework": "rails",
"gem": "activesupport",
"ghsa": "vxvp-4xwc-jpp6",
"patched_versions": [
"\u003e= 4.2.2",
"~\u003e 4.1.11"
],
"title": "XSS Vulnerability in ActiveSupport::JSON.encode",
"unaffected_versions": [
"\u003c 4.1.0"
],
"url": "https://groups.google.com/forum/#!topic/ruby-security-ann/7VlB_pck3hU"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=4.1.0a \u003c4.1.11||\u003e=4.2.0a \u003c4.2.2",
"affected_versions": "All versions starting from 4.1.0a before 4.1.11, all versions starting from 4.2.0a before 4.2.2",
"credit": "Francois Chagnon of Shopify",
"cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-79",
"CWE-937"
],
"date": "2019-08-08",
"description": "When a `Hash` containing user-controlled data is encoded as JSON (either through `Hash#to_json` or `ActiveSupport::JSON.encode`), Rails does not perform adequate escaping that matches the guarantee implied by the `escape_html_entities_in_json` option (which is enabled by default). If this resulting JSON string is subsequently inserted directly into an HTML page, the page will be vulnerable to XSS attacks.",
"fixed_versions": [
"4.1.11",
"4.2.2"
],
"identifier": "CVE-2015-3226",
"identifiers": [
"CVE-2015-3226"
],
"not_impacted": "3.x and 4.0.x",
"package_slug": "gem/activesupport",
"pubdate": "2015-07-26",
"solution": "Upgrade to latest, apply patch or use workaround; see provided link.",
"title": "XSS Vulnerability in ActiveSupport::JSON.encode",
"urls": [
"https://groups.google.com/forum/#!searchin/rubyonrails-core/CVE-2015-3226/rubyonrails-core/qBUqVlXERag/kuH3wQk1kxUJ",
"https://groups.google.com/forum/#!topic/ruby-security-ann/7VlB_pck3hU"
],
"uuid": "4888d3dc-f4ac-4765-a7fb-f922bfbdae02"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.17:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.16:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.15:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.13:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-3226"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20150616 [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode",
"refsource": "MLIST",
"tags": [],
"url": "http://openwall.com/lists/oss-security/2015/06/16/17"
},
{
"name": "[rubyonrails-security] 20150616 [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode",
"refsource": "MLIST",
"tags": [
"Vendor Advisory"
],
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ"
},
{
"name": "75231",
"refsource": "BID",
"tags": [],
"url": "http://www.securityfocus.com/bid/75231"
},
{
"name": "DSA-3464",
"refsource": "DEBIAN",
"tags": [],
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"name": "1033755",
"refsource": "SECTRACK",
"tags": [],
"url": "http://www.securitytracker.com/id/1033755"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
}
},
"lastModifiedDate": "2019-08-08T15:43Z",
"publishedDate": "2015-07-26T22:59Z"
}
}
}
OPENSUSE-SU-2024:10574-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1 on GA media
Description of the patch: These are all security issues fixed in the ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-10574
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
32 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
32 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-10574",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_10574-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-3226 page",
"url": "https://www.suse.com/security/cve/CVE-2015-3226/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-3227 page",
"url": "https://www.suse.com/security/cve/CVE-2015-3227/"
}
],
"title": "ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:10574-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.aarch64",
"product": {
"name": "ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.aarch64",
"product_id": "ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.aarch64",
"product": {
"name": "ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.aarch64",
"product_id": "ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.aarch64",
"product": {
"name": "ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.aarch64",
"product_id": "ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.aarch64",
"product": {
"name": "ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.aarch64",
"product_id": "ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.aarch64",
"product": {
"name": "ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.aarch64",
"product_id": "ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.aarch64",
"product": {
"name": "ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.aarch64",
"product_id": "ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.aarch64",
"product": {
"name": "ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.aarch64",
"product_id": "ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.aarch64",
"product": {
"name": "ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.aarch64",
"product_id": "ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.ppc64le",
"product": {
"name": "ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.ppc64le",
"product_id": "ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.ppc64le",
"product": {
"name": "ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.ppc64le",
"product_id": "ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.ppc64le",
"product": {
"name": "ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.ppc64le",
"product_id": "ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.ppc64le",
"product": {
"name": "ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.ppc64le",
"product_id": "ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.ppc64le",
"product": {
"name": "ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.ppc64le",
"product_id": "ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.ppc64le",
"product": {
"name": "ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.ppc64le",
"product_id": "ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.ppc64le",
"product": {
"name": "ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.ppc64le",
"product_id": "ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.ppc64le",
"product": {
"name": "ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.ppc64le",
"product_id": "ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.s390x",
"product": {
"name": "ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.s390x",
"product_id": "ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.s390x",
"product": {
"name": "ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.s390x",
"product_id": "ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.s390x",
"product": {
"name": "ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.s390x",
"product_id": "ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.s390x",
"product": {
"name": "ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.s390x",
"product_id": "ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.s390x",
"product": {
"name": "ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.s390x",
"product_id": "ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.s390x",
"product": {
"name": "ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.s390x",
"product_id": "ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.s390x",
"product": {
"name": "ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.s390x",
"product_id": "ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.s390x",
"product": {
"name": "ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.s390x",
"product_id": "ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.x86_64",
"product": {
"name": "ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.x86_64",
"product_id": "ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.x86_64",
"product": {
"name": "ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.x86_64",
"product_id": "ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.x86_64",
"product": {
"name": "ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.x86_64",
"product_id": "ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.x86_64",
"product": {
"name": "ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.x86_64",
"product_id": "ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.x86_64",
"product": {
"name": "ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.x86_64",
"product_id": "ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.x86_64",
"product": {
"name": "ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.x86_64",
"product_id": "ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.x86_64",
"product": {
"name": "ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.x86_64",
"product_id": "ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.x86_64",
"product": {
"name": "ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.x86_64",
"product_id": "ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.aarch64"
},
"product_reference": "ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.ppc64le"
},
"product_reference": "ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.s390x"
},
"product_reference": "ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.x86_64"
},
"product_reference": "ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.aarch64"
},
"product_reference": "ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.ppc64le"
},
"product_reference": "ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.s390x"
},
"product_reference": "ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.x86_64"
},
"product_reference": "ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.aarch64"
},
"product_reference": "ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.ppc64le"
},
"product_reference": "ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.s390x"
},
"product_reference": "ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.x86_64"
},
"product_reference": "ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.aarch64"
},
"product_reference": "ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.ppc64le"
},
"product_reference": "ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.s390x"
},
"product_reference": "ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.x86_64"
},
"product_reference": "ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.aarch64"
},
"product_reference": "ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.ppc64le"
},
"product_reference": "ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.s390x"
},
"product_reference": "ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.x86_64"
},
"product_reference": "ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.aarch64"
},
"product_reference": "ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.ppc64le"
},
"product_reference": "ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.s390x"
},
"product_reference": "ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.x86_64"
},
"product_reference": "ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.aarch64"
},
"product_reference": "ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.ppc64le"
},
"product_reference": "ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.s390x"
},
"product_reference": "ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.x86_64"
},
"product_reference": "ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.aarch64"
},
"product_reference": "ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.ppc64le"
},
"product_reference": "ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.s390x"
},
"product_reference": "ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.x86_64"
},
"product_reference": "ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-3226",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-3226"
}
],
"notes": [
{
"category": "general",
"text": "Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-3226",
"url": "https://www.suse.com/security/cve/CVE-2015-3226"
},
{
"category": "external",
"summary": "SUSE Bug 934799 for CVE-2015-3226",
"url": "https://bugzilla.suse.com/934799"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2015-3226"
},
{
"cve": "CVE-2015-3227",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-3227"
}
],
"notes": [
{
"category": "general",
"text": "The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-3227",
"url": "https://www.suse.com/security/cve/CVE-2015-3227"
},
{
"category": "external",
"summary": "SUSE Bug 934800 for CVE-2015-3227",
"url": "https://bugzilla.suse.com/934800"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-5_0-5.0.0.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-4_2-4.2.7.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-5_0-5.0.0.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-4_2-4.2.7.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-activesupport-doc-5_0-5.0.0.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2015-3227"
}
]
}
SUSE-SU-2016:0082-1
Vulnerability from csaf_suse - Published: 2016-01-12 10:24 - Updated: 2016-01-12 10:24Summary
Security update for rubygem-activesupport-4_1
Severity
Moderate
Notes
Title of the patch: Security update for rubygem-activesupport-4_1
Description of the patch:
This update fixes the following security issues:
- CVE-2015-3227: Possible Denial of Service
attack in Active Support (bnc#934800)
- CVE-2015-3226: XSS Vulnerability in
ActiveSupport::JSON (bnc#934799)
Patchnames: sleclo50sp3-rubygem-activesupport-4_1-12314
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE OpenStack Cloud 5:ruby2.1-rubygem-activesupport-4_1-4.1.9-9.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE OpenStack Cloud 5:ruby2.1-rubygem-activesupport-4_1-4.1.9-9.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for rubygem-activesupport-4_1",
"title": "Title of the patch"
},
{
"category": "description",
"text": "\n\n This update fixes the following security issues:\n\n - CVE-2015-3227: Possible Denial of Service\n attack in Active Support (bnc#934800)\n\n - CVE-2015-3226: XSS Vulnerability in\n ActiveSupport::JSON (bnc#934799)\n\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "sleclo50sp3-rubygem-activesupport-4_1-12314",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2016_0082-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2016:0082-1",
"url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160082-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2016:0082-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2016-January/001792.html"
},
{
"category": "self",
"summary": "SUSE Bug 934799",
"url": "https://bugzilla.suse.com/934799"
},
{
"category": "self",
"summary": "SUSE Bug 934800",
"url": "https://bugzilla.suse.com/934800"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-3226 page",
"url": "https://www.suse.com/security/cve/CVE-2015-3226/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-3227 page",
"url": "https://www.suse.com/security/cve/CVE-2015-3227/"
}
],
"title": "Security update for rubygem-activesupport-4_1",
"tracking": {
"current_release_date": "2016-01-12T10:24:18Z",
"generator": {
"date": "2016-01-12T10:24:18Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2016:0082-1",
"initial_release_date": "2016-01-12T10:24:18Z",
"revision_history": [
{
"date": "2016-01-12T10:24:18Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby2.1-rubygem-activesupport-4_1-4.1.9-9.2.x86_64",
"product": {
"name": "ruby2.1-rubygem-activesupport-4_1-4.1.9-9.2.x86_64",
"product_id": "ruby2.1-rubygem-activesupport-4_1-4.1.9-9.2.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE OpenStack Cloud 5",
"product": {
"name": "SUSE OpenStack Cloud 5",
"product_id": "SUSE OpenStack Cloud 5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:cloud:5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.1-rubygem-activesupport-4_1-4.1.9-9.2.x86_64 as component of SUSE OpenStack Cloud 5",
"product_id": "SUSE OpenStack Cloud 5:ruby2.1-rubygem-activesupport-4_1-4.1.9-9.2.x86_64"
},
"product_reference": "ruby2.1-rubygem-activesupport-4_1-4.1.9-9.2.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-3226",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-3226"
}
],
"notes": [
{
"category": "general",
"text": "Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 5:ruby2.1-rubygem-activesupport-4_1-4.1.9-9.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-3226",
"url": "https://www.suse.com/security/cve/CVE-2015-3226"
},
{
"category": "external",
"summary": "SUSE Bug 934799 for CVE-2015-3226",
"url": "https://bugzilla.suse.com/934799"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 5:ruby2.1-rubygem-activesupport-4_1-4.1.9-9.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2016-01-12T10:24:18Z",
"details": "moderate"
}
],
"title": "CVE-2015-3226"
},
{
"cve": "CVE-2015-3227",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-3227"
}
],
"notes": [
{
"category": "general",
"text": "The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 5:ruby2.1-rubygem-activesupport-4_1-4.1.9-9.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-3227",
"url": "https://www.suse.com/security/cve/CVE-2015-3227"
},
{
"category": "external",
"summary": "SUSE Bug 934800 for CVE-2015-3227",
"url": "https://bugzilla.suse.com/934800"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 5:ruby2.1-rubygem-activesupport-4_1-4.1.9-9.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2016-01-12T10:24:18Z",
"details": "moderate"
}
],
"title": "CVE-2015-3227"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…