Immunity Canvas: RAILS_ACTIONPACK_RENDER

2016-04-0723:59:00

Immunity Canvas

exploitlist.immunityinc.com

533

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.943 High

EPSS

Percentile

99.0%

JSON

Name	rails_actionpack_render
CVE	CVE-2016-2098 Exploit Pack
VENDOR: http://rubyonrails.org
Notes:

This vulnerability affects ActionPack gem and it allows remote attackers to execute arbitrary Ruby Code due to the unsafe use of the ‘render’ method. Web applications that pass unverified user input to the ‘render’ method in a controller or a view could be vulnerable to code injection.
The first issue here is that the ‘render’ method accepts a hash parameter as input parameter. The second issue is triggered when the method receives a hash parameter with a key named as one of the render options such as html, plain, inline, etc. The method uses it in the same way as ‘render key: value’, for example if you use { ‘plain’ : ‘HELLO’ } as a parameter this is the same as calling ‘render plain: “HELLO”’. Using { ‘inline’ : ‘’ } will give you code execution.
The POST parameters seem to be non exploitable to this vulnerability due to the post_params method that checks all parameters against a whitelist.

Repeatability: Infinite
CVE URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2098
CVSS: 7.5