6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.19 Low
EPSS
Percentile
95.5%
Ruby on Rails is a model-view-controller (MVC) framework for web
application development. Action Pack implements the controller and the
view components.
A flaw was found in the way Ruby on Rails performed JSON parameter parsing.
An application using a third party library, which uses the Rack::Request
interface, or custom Rack middleware could bypass the protection
implemented to fix the CVE-2013-0155 vulnerability, causing the application
to receive unsafe parameters and become vulnerable to CVE-2013-0155.
(CVE-2013-6417)
It was discovered that the internationalization component of Ruby on Rails
could, under certain circumstances, return a fallback HTML string that
contained user input. A remote attacker could possibly use this flaw to
perform a reflective cross-site scripting (XSS) attack by providing a
specially crafted input to an application using the aforementioned
component. (CVE-2013-4491)
A denial of service flaw was found in the header handling component of
Action View. A remote attacker could send strings in specially crafted
headers that would be cached indefinitely, which would result in all
available system memory eventually being consumed. (CVE-2013-6414)
It was found that the number_to_currency Action View helper did not
properly escape the unit parameter. An attacker could use this flaw to
perform a cross-site scripting (XSS) attack on an application that uses
data submitted by a user in the unit parameter. (CVE-2013-6415)
Users of Red Hat OpenStack 3.0 are advised to upgrade to these updated
packages, which correct these issues.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
RedHat | 6 | noarch | ruby193-rubygem-actionpack | < 3.2.8-5.1.el6 | ruby193-rubygem-actionpack-3.2.8-5.1.el6.noarch.rpm |
RedHat | 6 | src | ruby193-rubygem-actionpack | < 3.2.8-5.1.el6 | ruby193-rubygem-actionpack-3.2.8-5.1.el6.src.rpm |
RedHat | 6 | noarch | ruby193-rubygem-actionpack-doc | < 3.2.8-5.1.el6 | ruby193-rubygem-actionpack-doc-3.2.8-5.1.el6.noarch.rpm |