Lucene search

[email protected]CVE-2015-3224

HistoryJul 26, 2015 - 10:59 p.m.

CVE-2015-3224

2015-07-2622:59:03

CWE-284

[email protected]

web.nvd.nist.gov

cve-2015-3224

request.rb

web console

ruby on rails

x-forwarded-for

remote attackers

protection mechanism

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.4 Medium

AI Score

Confidence

Low

0.929 High

EPSS

Percentile

99.0%

JSON

request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client’s IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request.

Affected configurations

NVD

Node

rubyonrailsweb_consoleRange≤2.1.2

CPENameOperatorVersion
rubyonrails:web_consolerubyonrails web consolele2.1.2

CPE	Name	Operator	Version
rubyonrails:web_console	rubyonrails web console	le	2.1.2

References

lists.fedoraproject.org/pipermail/package-announce/2015-June/160881.html

openwall.com/lists/oss-security/2015/06/16/18

www.securityfocus.com/bid/75237

github.com/rails/web-console/blob/master/CHANGELOG.markdown

groups.google.com/forum/message/raw?msg=rubyonrails-security/lzmz9_ijUFw/HBMPi4zp5NAJ

Social References

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.4 Medium

AI Score

Confidence

Low

0.929 High

EPSS

Percentile

99.0%

JSON

Related for CVE-2015-3224

nessus2 cvelist1 nuclei1 openvas2 seebug1 github1 nvd1 prion1 zdt1 fedora1 osv1 freebsd1