Lucene search

[email protected]CVE-2011-0449

HistoryFeb 21, 2011 - 6:00 p.m.

CVE-2011-0449

2011-02-2118:00:01

CWE-264

[email protected]

web.nvd.nist.gov

cve-2011-0449

ruby on rails

remote attack

access restriction

filesystem

security vulnerability

nvd

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

6.4

Confidence

Low

EPSS

0.011

Percentile

84.8%

JSON

actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.4, when a case-insensitive filesystem is used, does not properly implement filters associated with the list of available templates, which allows remote attackers to bypass intended access restrictions via an action name that uses an unintended case for alphabetic characters.

Affected configurations

NVD

Node

rubyonrailsrailsMatch3.0.0

rubyonrailsrailsMatch3.0.0beta

rubyonrailsrailsMatch3.0.0beta2

rubyonrailsrailsMatch3.0.0beta3

rubyonrailsrailsMatch3.0.0beta4

rubyonrailsrailsMatch3.0.0rc

rubyonrailsrailsMatch3.0.0rc2

rubyonrailsrailsMatch3.0.1

rubyonrailsrailsMatch3.0.1pre

rubyonrailsrailsMatch3.0.2

rubyonrailsrailsMatch3.0.2pre

rubyonrailsrailsMatch3.0.3

rubyonrailsrailsMatch3.0.4rc1

VendorProductVersionCPE
rubyonrailsrails3.0.0cpe:/a:rubyonrails:rails:3.0.0:beta2::
rubyonrailsrails3.0.4cpe:/a:rubyonrails:rails:3.0.4:rc1::
rubyonrailsrails3.0.2cpe:/a:rubyonrails:rails:3.0.2:::
rubyonrailsrails3.0.1cpe:/a:rubyonrails:rails:3.0.1:::
rubyonrailsrails3.0.0cpe:/a:rubyonrails:rails:3.0.0:rc2::
rubyonrailsrails3.0.3cpe:/a:rubyonrails:rails:3.0.3:::
rubyonrailsrails3.0.0cpe:/a:rubyonrails:rails:3.0.0:beta::
rubyonrailsrails3.0.0cpe:/a:rubyonrails:rails:3.0.0:beta3::
rubyonrailsrails3.0.1cpe:/a:rubyonrails:rails:3.0.1:pre::
rubyonrailsrails3.0.0cpe:/a:rubyonrails:rails:3.0.0:::

Vendor	Product	Version	CPE
rubyonrails	rails	3.0.0	cpe:/a:rubyonrails:rails:3.0.0:beta2::
rubyonrails	rails	3.0.4	cpe:/a:rubyonrails:rails:3.0.4:rc1::
rubyonrails	rails	3.0.2	cpe:/a:rubyonrails:rails:3.0.2:::
rubyonrails	rails	3.0.1	cpe:/a:rubyonrails:rails:3.0.1:::
rubyonrails	rails	3.0.0	cpe:/a:rubyonrails:rails:3.0.0:rc2::
rubyonrails	rails	3.0.3	cpe:/a:rubyonrails:rails:3.0.3:::
rubyonrails	rails	3.0.0	cpe:/a:rubyonrails:rails:3.0.0:beta::
rubyonrails	rails	3.0.0	cpe:/a:rubyonrails:rails:3.0.0:beta3::
rubyonrails	rails	3.0.1	cpe:/a:rubyonrails:rails:3.0.1:pre::
rubyonrails	rails	3.0.0	cpe:/a:rubyonrails:rails:3.0.0:::