Rails Security Vulnerabilities and Issues — Rails CVE List

Lucene search

RubyonrailsRails

10 matches found

CVE•added 2014/05/07 10:55 a.m.•1029 views

CVE-2014-0130

Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files v...

7.5CVSS6.3AI score0.43668EPSS

CVE•added 2014/02/20 3:27 p.m.•114 views

CVE-2014-0081

Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) u...

4.3CVSS5.9AI score0.00885EPSS

CVE•added 2014/02/20 3:27 p.m.•89 views

CVE-2014-0082

actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in head...

5CVSS6AI score0.06456EPSS

CVE•added 2014/07/07 11:1 a.m.•88 views

CVE-2014-3483

SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and 4.1.x before 4.1.3 allows remote attackers to execute arbitrary SQL commands by leveraging improper range quoting...

7.5CVSS8.2AI score0.0125EPSS

CVE•added 2014/08/20 11:17 a.m.•83 views

CVE-2014-3514

activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls.

7.5CVSS6.5AI score0.00331EPSS

CVE•added 2014/02/20 3:27 p.m.•79 views

CVE-2014-0080

SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving \ (backslash) charact...

6.8CVSS7.8AI score0.00248EPSS

CVE•added 2014/11/08 11:55 a.m.•77 views

CVE-2014-7818

Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence ...

4.3CVSS6.4AI score0.00409EPSS

CVE•added 2014/11/18 11:59 p.m.•75 views

CVE-2014-7829

Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence ...

5CVSS6.5AI score0.00409EPSS

CVE•added 2014/07/07 11:1 a.m.•72 views

CVE-2014-3482

SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstring quoting.

7.5CVSS8.3AI score0.01435EPSS

CVE•added 2014/11/16 5:59 p.m.•36 views

CVE-2014-3916

The str_buf_cat function in string.c in Ruby 1.9.3, 2.0.0, and 2.1 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a long string.

5CVSS6.5AI score0.0049EPSS