Lucene search

K

GoogleOSV:GHSA-78RC-8C29-P45G

HistoryOct 24, 2017 - 6:33 p.m.

actionpack allows remote code execution via application's unrestricted use of render method

2017-10-2418:33:35

Google

osv.dev

15

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.947 High

EPSS

Percentile

99.2%

Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application’s unrestricted use of the render method.

CPENameOperatorVersion
actionpackeq3.1.0.rc2
actionpackeq3.1.1.rc1
actionpackeq3.2.6
actionpackeq4.0.6.rc1
actionpackeq3.2.14.rc2
actionpackeq3.2.20
actionpackeq4.0.4.rc1
actionpackeq4.2.5.rc2
actionpackeq3.0.19
actionpackeq3.0.12

Rows per page:

1-10 of 1841

References

lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html

lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html

lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html

lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html

lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html

lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html

weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released

www.debian.org/security/2016/dsa-3509

github.com/rails/rails

github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-2098.yml

groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q

nvd.nist.gov/vuln/detail/CVE-2016-2098

web.archive.org/web/20200228015318/www.securityfocus.com/bid/83725

web.archive.org/web/20210612214217/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ

web.archive.org/web/20211205173437/https://securitytracker.com/id/1035122

www.exploit-db.com/exploits/40086

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.947 High

EPSS

Percentile

99.2%

Related for OSV:GHSA-78RC-8C29-P45G

suse6 fedora4 nessus7 debiancve1 openvas10 zdt1 ubuntucve1 seebug1 packetstorm1 checkpoint_advisories1 canvas1 github1 prion1 cve1 rubygems1 hackerone1 freebsd1 redhat3 ibm1 osv2 debian5