GSD-2015-3224

Vulnerability from gsd - Updated: 2015-06-16 00:00
Details
Specially crafted remote requests can spoof their origin, bypassing the IP whitelist, in any environment where Web Console is enabled (development and test, by default). Users whose application is only accessible from localhost (as is the default behaviour in Rails 4.2) are not affected, unless a local proxy is involved. All affected users should either upgrade or use one of the work arounds immediately. To work around this issue, turn off web-console in all environments, by removing/commenting it from the application's Gemfile.
Aliases
Aliases
CVE-2015-3224
To clipboard 

{
  "GSD": {
    "alias": "CVE-2015-3224",
    "description": "request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client\u0027s IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request.",
    "id": "GSD-2015-3224",
    "references": [
      "https://www.suse.com/security/cve/CVE-2015-3224.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "web-console",
            "purl": "pkg:gem/web-console"
          }
        }
      ],
      "aliases": [
        "CVE-2015-3224",
        "GHSA-67j6-xv27-w6ww"
      ],
      "details": "Specially crafted remote requests can spoof their origin, bypassing the IP whitelist, in any environment where Web Console is enabled (development and test, by default).\n\nUsers whose application is only accessible from localhost (as is the default behaviour in Rails 4.2) are not affected, unless a local proxy is involved.\n\nAll affected users should either upgrade or use one of the work arounds immediately.\n\nTo work around this issue, turn off web-console in all environments, by removing/commenting it from the application\u0027s Gemfile.\n",
      "id": "GSD-2015-3224",
      "modified": "2015-06-16T00:00:00.000Z",
      "published": "2015-06-16T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://groups.google.com/forum/#!topic/ruby-security-ann/lzmz9_ijUFw"
        }
      ],
      "schema_version": "1.4.0",
      "summary": "IP whitelist bypass in Web Console"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2015-3224",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client\u0027s IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "75237",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/75237"
          },
          {
            "name": "[rubyonrails-security] 20150616 [CVE-2015-3224] IP whitelist bypass in Web Console",
            "refsource": "MLIST",
            "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/lzmz9_ijUFw/HBMPi4zp5NAJ"
          },
          {
            "name": "[oss-security] 20150616 [CVE-2015-3224] IP whitelist bypass in Web Console",
            "refsource": "MLIST",
            "url": "http://openwall.com/lists/oss-security/2015/06/16/18"
          },
          {
            "name": "FEDORA-2015-10128",
            "refsource": "FEDORA",
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160881.html"
          },
          {
            "name": "https://github.com/rails/web-console/blob/master/CHANGELOG.markdown",
            "refsource": "CONFIRM",
            "url": "https://github.com/rails/web-console/blob/master/CHANGELOG.markdown"
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2015-3224",
      "date": "2015-06-16",
      "description": "Specially crafted remote requests can spoof their origin, bypassing the IP whitelist, in any environment where Web Console is enabled (development and test, by default).\n\nUsers whose application is only accessible from localhost (as is the default behaviour in Rails 4.2) are not affected, unless a local proxy is involved.\n\nAll affected users should either upgrade or use one of the work arounds immediately.\n\nTo work around this issue, turn off web-console in all environments, by removing/commenting it from the application\u0027s Gemfile.\n",
      "gem": "web-console",
      "ghsa": "67j6-xv27-w6ww",
      "patched_versions": [
        "\u003e= 2.1.3"
      ],
      "title": "IP whitelist bypass in Web Console",
      "url": "https://groups.google.com/forum/#!topic/ruby-security-ann/lzmz9_ijUFw"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c2.1.3",
          "affected_versions": "All versions before 2.1.3",
          "credit": "Joernchen of Phenoelit and Ben Murphy",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-284",
            "CWE-937"
          ],
          "date": "2016-12-02",
          "description": "Specially crafted remote requests can spoof their origin, bypassing the IP allowlist, in any environment where Web Console is enabled (development and test, by default).To work around this issue, turn off web-console in all environments, by removing/commenting it from the application\u0027s Gemfile.",
          "fixed_versions": [
            "2.1.3"
          ],
          "identifier": "CVE-2015-3224",
          "identifiers": [
            "CVE-2015-3224"
          ],
          "package_slug": "gem/web-console",
          "pubdate": "2015-07-26",
          "solution": "Upgrade to latest, apply patch or use workaround; see provided link.",
          "title": "Permissive List of Allowed Inputs",
          "urls": [
            "https://groups.google.com/forum/#!topic/ruby-security-ann/lzmz9_ijUFw"
          ],
          "uuid": "9d2cb4f0-86a2-4f60-8ba7-9c016b7ead55"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:web_console:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.1.2",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-3224"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client\u0027s IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-284"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[rubyonrails-security] 20150616 [CVE-2015-3224] IP whitelist bypass in Web Console",
              "refsource": "MLIST",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/lzmz9_ijUFw/HBMPi4zp5NAJ"
            },
            {
              "name": "[oss-security] 20150616 [CVE-2015-3224] IP whitelist bypass in Web Console",
              "refsource": "MLIST",
              "tags": [],
              "url": "http://openwall.com/lists/oss-security/2015/06/16/18"
            },
            {
              "name": "https://github.com/rails/web-console/blob/master/CHANGELOG.markdown",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://github.com/rails/web-console/blob/master/CHANGELOG.markdown"
            },
            {
              "name": "FEDORA-2015-10128",
              "refsource": "FEDORA",
              "tags": [],
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160881.html"
            },
            {
              "name": "75237",
              "refsource": "BID",
              "tags": [],
              "url": "http://www.securityfocus.com/bid/75237"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2016-12-03T03:08Z",
      "publishedDate": "2015-07-26T22:59Z"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.