7.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.944 High
EPSS
Percentile
98.8%
The rh-ror41 collection provides Ruby on Rails version 4.1. Ruby on Rails
is a model-view-controller (MVC) framework for web application development.
The following issues were corrected in rubygem-actionview:
A directory traversal flaw was found in the way the Action View component
searched for templates for rendering. If an application passed untrusted
input to the βrenderβ method, a remote, unauthenticated attacker could use
this flaw to render unexpected files and, possibly, execute arbitrary code.
(CVE-2016-2097)
A code injection flaw was found in the way the Action View component
searched for templates for rendering. If an application passed untrusted
input to the βrenderβ method, a remote, unauthenticated attacker could use
this flaw to execute arbitrary code. (CVE-2016-2098)
Red Hat would like to thank the Ruby on Rails project for reporting these
issues. Upstream acknowledges Jyoti Singh and Tobias Kraze (makandra) as
original reporters of CVE-2016-2097, and Tobias Kraze (makandra) and
joernchen (Phenoelit) as original reporters of CVE-2016-2098.
All rh-ror41 collection rubygem-actionview packages users are advised to
upgrade to these updated packages, which contain backported patches to
correct these issues. All running applications using the rh-ror41
collection must be restarted for this update to take effect.
7.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.944 High
EPSS
Percentile
98.8%