Lucene search

Https://gitlab.com/gitlab-org/security-products/gemnasium-dbGITLAB-D20DB60278DC37FA50BB96925C07DD06

HistoryOct 24, 2017 - 12:00 a.m.

Improper Input Validation

2017-10-2400:00:00

https://gitlab.com/gitlab-org/security-products/gemnasium-db

gitlab.com

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS

0.016

Percentile

87.5%

JSON

The to_s method in actionpack/lib/action_dispatch/middleware/remote_ip.rb in Ruby on Rails 3.0.5 does not validate the X-Forwarded-For header in requests from IP addresses on a Class C network, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header.

Affected configurations

Vulners

Node

gemactionpackRange2.3.0≥

gemactionpackRange<2.3.13

VendorProductVersionCPE
gemactionpack*cpe:2.3:a:gem:actionpack:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
gem	actionpack	*	cpe:2.3:a:gem:actionpack::::::::

References

archives.neohapsis.com/archives/fulldisclosure/2011-02/0337.html

webservsec.blogspot.com/2011/02/ruby-on-rails-vulnerability.html

www.openwall.com/lists/oss-security/2011/08/17/1

www.openwall.com/lists/oss-security/2011/08/19/11

www.openwall.com/lists/oss-security/2011/08/20/1

www.openwall.com/lists/oss-security/2011/08/22/13

www.openwall.com/lists/oss-security/2011/08/22/14

www.openwall.com/lists/oss-security/2011/08/22/5

bugzilla.novell.com/show_bug.cgi?id=673010

github.com/advisories/GHSA-3vfw-7rcp-3xgm

nvd.nist.gov/vuln/detail/CVE-2011-3187

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS

0.016

Percentile

87.5%

JSON

Related for GITLAB-D20DB60278DC37FA50BB96925C07DD06