Lucene search

PRIOn knowledge basePRION:CVE-2007-5379

HistoryOct 19, 2007 - 11:17 p.m.

Design/Logic Flaw

2007-10-1923:17:00

PRIOn knowledge base

www.prio-n.com

6.8 Medium

AI Score

Confidence

Low

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.008 Low

EPSS

Percentile

81.2%

JSON

Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file.

CPENameOperatorVersion
ruby_on_railsle1.2.3

CPE	Name	Operator	Version
	ruby_on_rails	le	1.2.3

References

bugs.gentoo.org/show_bug.cgi?id=195315

dev.rubyonrails.org/ticket/8453

docs.info.apple.com/article.html?artnum=307179

lists.apple.com/archives/security-announce/2007/Dec/msg00002.html

osvdb.org/40717

secunia.com/advisories/27657

secunia.com/advisories/28136

security.gentoo.org/glsa/glsa-200711-17.xml

weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release

www.securityfocus.com/bid/26096

www.us-cert.gov/cas/techalerts/TA07-352A.html

www.vupen.com/english/advisories/2007/3508

www.vupen.com/english/advisories/2007/4238

6.8 Medium

AI Score

Confidence

Low

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.008 Low

EPSS

Percentile

81.2%

JSON

Related for PRION:CVE-2007-5379