Lucene search

K
osvGoogleOSV:DLA-604-1
HistoryAug 28, 2016 - 12:00 a.m.

ruby-actionpack-3.2 - security update

2016-08-2800:00:00
Google
osv.dev
12

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.974 High

EPSS

Percentile

99.9%

Multiple vulnerabilities have been discovered in ruby-actionpack-3.2, a
web-flow and rendering framework and part of Rails:

  • CVE-2015-7576
    A flaw was found in the way the Action Controller component compared
    user names and passwords when performing HTTP basic
    authentication. Time taken to compare strings could differ depending
    on input, possibly allowing a remote attacker to determine valid user
    names and passwords using a timing attack.
  • CVE-2016-0751
    A flaw was found in the way the Action Pack component performed MIME
    type lookups. Since queries were cached in a global cache of MIME
    types, an attacker could use this flaw to grow the cache indefinitely,
    potentially resulting in a denial of service.
  • CVE-2016-0752
    A directory traversal flaw was found in the way the Action View
    component searched for templates for rendering. If an application
    passed untrusted input to the render method, a remote,
    unauthenticated attacker could use this flaw to render unexpected
    files and, possibly, execute arbitrary code.
  • CVE-2016-2097
    Crafted requests to Action View might result in rendering files from
    arbitrary locations, including files beyond the application’s view
    directory. This vulnerability is the result of an incomplete fix of
    CVE-2016-0752.
    This bug was found by Jyoti Singh and Tobias Kraze
    from Makandra.
  • CVE-2016-2098
    If a web applications does not properly sanitize user inputs, an
    attacker might control the arguments of the render method in a
    controller or a view, resulting in the possibility of executing
    arbitrary ruby code. This bug was found by Tobias Kraze from
    Makandra and joernchen of Phenoelit.
  • CVE-2016-6316
    Andrew Carpenter of Critical Juncture discovered a cross-site
    scripting vulnerability affecting Action View. Text declared as HTML
    safe will not have quotes escaped when used as attribute values in
    tag helpers.

For Debian 7 Wheezy, these problems have been fixed in version
3.2.6-6+deb7u3.

We recommend that you upgrade your ruby-actionpack-3.2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: <https://wiki.debian.org/LTS&gt;

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.974 High

EPSS

Percentile

99.9%