Lucene search

Veracode Vulnerability DatabaseVERACODE:25761

HistoryJun 25, 2020 - 5:10 a.m.

Authorization Bypass

2020-06-2505:10:50

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

JSON

actionpack is vulnerable to authorization bypass. An attacker is be able to execute any migrations that are pending for a Rails app running in production mode.

CPENameOperatorVersion
actionpackle6.0.3.1

CPE	Name	Operator	Version
	actionpack	le	6.0.3.1

References

github.com/advisories/GHSA-c6qr-h5vq-59jc

github.com/rails/rails/commit/2121b9d20b60ed503aa041ef7b926d331ed79fc2

groups.google.com/g/rubyonrails-security/c/pAe9EV8gbM0

hackerone.com/reports/899069

lists.fedoraproject.org/archives/list/[email protected]/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

JSON

Related for VERACODE:25761