Lucene search

K
mageiaGentoo FoundationMGASA-2014-0303
HistoryJul 26, 2014 - 5:09 p.m.

Updated ruby-actionpack packages fix security issues

2014-07-2617:09:43
Gentoo Foundation
advisories.mageia.org
27

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.009

Percentile

82.7%

Updated ruby-actionpack and ruby-activerecord packages fix security vulnerabilities: Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails before 4.0.5, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request (CVE-2014-0130). PostgreSQL supports a number of unique data types which are not present in other supported databases. A bug in the SQL quoting code in ActiveRecord in Ruby on Rails before 4.0.7 can allow an attacker to inject arbitrary SQL using carefully crafted values (CVE-2014-3483). The associated Ruby on Rails packages have been updated to version 4.0.8, to address these and other issues.

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.009

Percentile

82.7%