Ruby/rails/1.1.3
Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.
https://rubygems.org/gems/rails
UNKNOWN
22 Security Vulnerabilities
rails vulnerable to Cross-site Scripting
Published date: 2017-10-24T18:33:38Z
CVE: CVE-2011-0446
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2011-0446
- https://github.com/advisories/GHSA-75w6-p6mg-vh8j
- http://groups.google.com/group/rubyonrails-security/msg/365b8a23b76a6b4a?dmode=source&output=gplain
- http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html
- http://secunia.com/advisories/43274
- http://secunia.com/advisories/43666
- http://www.debian.org/security/2011/dsa-2247
- http://www.securityfocus.com/bid/46291
- http://www.securitytracker.com/id?1025064
- http://www.vupen.com/english/advisories/2011/0587
- http://www.vupen.com/english/advisories/2011/0877
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2011-0446.yml
- https://groups.google.com/g/rubyonrails-security/c/8CpI7egxX4E/m/SmtqtyOKWzYJ
- https://web.archive.org/web/20120527023027/http://www.securityfocus.com/bid/46291
- https://web.archive.org/web/20200812054342/http://www.securitytracker.com/id?1025064
Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value.
Affected versions:
["3.0.4.rc1", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "2.3.10", "2.3.9", "2.3.9.pre", "2.3.8", "2.3.8.pre1", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.2.3", "2.2.2", "2.1.2", "2.1.1", "2.1.0", "2.0.5", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "1.2.6", "1.2.5", "1.2.4", "1.2.3", "1.2.2", "1.2.1", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.13.1", "0.13.0", "0.12.1", "0.12.0", "0.11.1", "0.11.0", "0.10.1", "0.10.0", "0.9.5", "0.9.4.1", "0.9.4", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.5", "0.8.0"]
Secure versions:
[3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.2.22, 3.2.22.1, 3.2.22.2, 3.2.22.3, 3.2.22.4, 3.2.22.5, 4.0.0.beta1, 4.0.0.rc1, 4.0.0.rc2, 4.0.10, 4.0.10.rc1, 4.0.10.rc2, 4.0.11, 4.0.11.1, 4.0.12, 4.0.13, 4.0.13.rc1, 4.0.3, 4.0.4, 4.0.4.rc1, 4.0.5, 4.0.6, 4.0.6.rc1, 4.0.6.rc2, 4.0.6.rc3, 4.0.7, 4.0.8, 4.0.9, 4.1.0, 4.1.0.beta1, 4.1.0.beta2, 4.1.0.rc1, 4.1.0.rc2, 4.1.1, 4.1.10, 4.1.10.rc1, 4.1.10.rc2, 4.1.10.rc3, 4.1.10.rc4, 4.1.11, 4.1.12, 4.1.12.rc1, 4.1.13, 4.1.13.rc1, 4.1.14, 4.1.14.1, 4.1.14.2, 4.1.14.rc1, 4.1.14.rc2, 4.1.15, 4.1.15.rc1, 4.1.16, 4.1.16.rc1, 4.1.2, 4.1.2.rc1, 4.1.2.rc2, 4.1.2.rc3, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.6.rc1, 4.1.6.rc2, 4.1.7, 4.1.7.1, 4.1.8, 4.1.9, 4.1.9.rc1, 4.2.0, 4.2.0.beta1, 4.2.0.beta2, 4.2.0.beta3, 4.2.0.beta4, 4.2.0.rc1, 4.2.0.rc2, 4.2.0.rc3, 4.2.1, 4.2.1.rc1, 4.2.1.rc2, 4.2.1.rc3, 4.2.1.rc4, 4.2.10, 4.2.10.rc1, 4.2.11, 4.2.11.1, 4.2.11.2, 4.2.11.3, 4.2.2, 4.2.3, 4.2.3.rc1, 4.2.4, 4.2.4.rc1, 4.2.5, 4.2.5.1, 4.2.5.2, 4.2.5.rc1, 4.2.5.rc2, 4.2.6, 4.2.6.rc1, 4.2.7, 4.2.7.1, 4.2.7.rc1, 4.2.8, 4.2.8.rc1, 4.2.9, 4.2.9.rc1, 4.2.9.rc2, 5.0.0, 5.0.0.1, 5.0.0.beta1, 5.0.0.beta1.1, 5.0.0.beta2, 5.0.0.beta3, 5.0.0.beta4, 5.0.0.racecar1, 5.0.0.rc1, 5.0.0.rc2, 5.0.1, 5.0.1.rc1, 5.0.1.rc2, 5.0.2, 5.0.2.rc1, 5.0.3, 5.0.4, 5.0.4.rc1, 5.0.5, 5.0.5.rc1, 5.0.5.rc2, 5.0.6, 5.0.6.rc1, 5.0.7, 5.0.7.1, 5.0.7.2, 5.1.0, 5.1.0.beta1, 5.1.0.rc1, 5.1.0.rc2, 5.1.1, 5.1.2, 5.1.2.rc1, 5.1.3, 5.1.3.rc1, 5.1.3.rc2, 5.1.3.rc3, 5.1.4, 5.1.4.rc1, 5.1.5, 5.1.5.rc1, 5.1.6, 5.1.6.1, 5.1.6.2, 5.1.7, 5.1.7.rc1, 5.2.0.beta1, 5.2.0.beta2, 5.2.0.rc1, 5.2.0.rc2, 6.1.7.10, 6.1.7.7, 6.1.7.8, 6.1.7.9, 7.0.0.alpha1, 7.0.0.alpha2, 7.0.0.rc1, 7.0.0.rc2, 7.0.0.rc3, 7.0.8.1, 7.0.8.2, 7.0.8.3, 7.0.8.4, 7.0.8.5, 7.0.8.6, 7.0.8.7, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.3.1, 7.1.3.2, 7.1.3.3, 7.1.3.4, 7.1.4, 7.1.4.1, 7.1.4.2, 7.1.5, 7.1.5.1, 7.2.0, 7.2.0.beta1, 7.2.0.beta2, 7.2.0.beta3, 7.2.0.rc1, 7.2.1, 7.2.1.1, 7.2.1.2, 7.2.2, 7.2.2.1, 8.0.0, 8.0.0.1, 8.0.0.beta1, 8.0.0.rc1, 8.0.0.rc2, 8.0.1, 8.0.2]
Recommendation:
Update to version 8.0.2.
Moderate severity vulnerability that affects rails
Published date: 2017-10-24T18:33:38Z
CVE: CVE-2009-4214
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2009-4214
- https://github.com/advisories/GHSA-9p3v-wf2w-v29c
- http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5
- http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1
- http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
- http://secunia.com/advisories/37446
- http://secunia.com/advisories/38915
- http://support.apple.com/kb/HT4077
- http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released
- http://www.debian.org/security/2011/dsa-2260
- http://www.debian.org/security/2011/dsa-2301
- http://www.openwall.com/lists/oss-security/2009/11/27/2
- http://www.openwall.com/lists/oss-security/2009/12/08/3
- http://www.securityfocus.com/bid/37142
- http://www.securitytracker.com/id?1023245
- http://www.vupen.com/english/advisories/2009/3352
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2009-4214.yml
Cross-site scripting (XSS) vulnerability in the striptags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/actioncontroller/vendor/html-scanner/html/node.rb.
Affected versions:
["2.3.3", "2.3.4", "2.3.2", "2.1.2", "2.0.5", "2.0.1", "2.0.0", "1.2.5", "1.2.2", "1.1.6", "1.1.5", "1.1.3", "0.14.4", "0.14.2", "0.11.1", "0.11.0", "0.10.0", "0.9.4.1", "0.9.4", "0.9.2", "0.9.0", "2.1.1", "2.1.0", "2.0.4", "2.0.2", "1.2.6", "1.2.4", "1.2.3", "1.2.1", "1.2.0", "1.1.4", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.14.3", "0.14.1", "0.13.1", "0.13.0", "0.12.1", "0.12.0", "0.10.1", "0.9.5", "0.9.3", "0.9.1", "0.8.5", "0.8.0"]
Secure versions:
[3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.2.22, 3.2.22.1, 3.2.22.2, 3.2.22.3, 3.2.22.4, 3.2.22.5, 4.0.0.beta1, 4.0.0.rc1, 4.0.0.rc2, 4.0.10, 4.0.10.rc1, 4.0.10.rc2, 4.0.11, 4.0.11.1, 4.0.12, 4.0.13, 4.0.13.rc1, 4.0.3, 4.0.4, 4.0.4.rc1, 4.0.5, 4.0.6, 4.0.6.rc1, 4.0.6.rc2, 4.0.6.rc3, 4.0.7, 4.0.8, 4.0.9, 4.1.0, 4.1.0.beta1, 4.1.0.beta2, 4.1.0.rc1, 4.1.0.rc2, 4.1.1, 4.1.10, 4.1.10.rc1, 4.1.10.rc2, 4.1.10.rc3, 4.1.10.rc4, 4.1.11, 4.1.12, 4.1.12.rc1, 4.1.13, 4.1.13.rc1, 4.1.14, 4.1.14.1, 4.1.14.2, 4.1.14.rc1, 4.1.14.rc2, 4.1.15, 4.1.15.rc1, 4.1.16, 4.1.16.rc1, 4.1.2, 4.1.2.rc1, 4.1.2.rc2, 4.1.2.rc3, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.6.rc1, 4.1.6.rc2, 4.1.7, 4.1.7.1, 4.1.8, 4.1.9, 4.1.9.rc1, 4.2.0, 4.2.0.beta1, 4.2.0.beta2, 4.2.0.beta3, 4.2.0.beta4, 4.2.0.rc1, 4.2.0.rc2, 4.2.0.rc3, 4.2.1, 4.2.1.rc1, 4.2.1.rc2, 4.2.1.rc3, 4.2.1.rc4, 4.2.10, 4.2.10.rc1, 4.2.11, 4.2.11.1, 4.2.11.2, 4.2.11.3, 4.2.2, 4.2.3, 4.2.3.rc1, 4.2.4, 4.2.4.rc1, 4.2.5, 4.2.5.1, 4.2.5.2, 4.2.5.rc1, 4.2.5.rc2, 4.2.6, 4.2.6.rc1, 4.2.7, 4.2.7.1, 4.2.7.rc1, 4.2.8, 4.2.8.rc1, 4.2.9, 4.2.9.rc1, 4.2.9.rc2, 5.0.0, 5.0.0.1, 5.0.0.beta1, 5.0.0.beta1.1, 5.0.0.beta2, 5.0.0.beta3, 5.0.0.beta4, 5.0.0.racecar1, 5.0.0.rc1, 5.0.0.rc2, 5.0.1, 5.0.1.rc1, 5.0.1.rc2, 5.0.2, 5.0.2.rc1, 5.0.3, 5.0.4, 5.0.4.rc1, 5.0.5, 5.0.5.rc1, 5.0.5.rc2, 5.0.6, 5.0.6.rc1, 5.0.7, 5.0.7.1, 5.0.7.2, 5.1.0, 5.1.0.beta1, 5.1.0.rc1, 5.1.0.rc2, 5.1.1, 5.1.2, 5.1.2.rc1, 5.1.3, 5.1.3.rc1, 5.1.3.rc2, 5.1.3.rc3, 5.1.4, 5.1.4.rc1, 5.1.5, 5.1.5.rc1, 5.1.6, 5.1.6.1, 5.1.6.2, 5.1.7, 5.1.7.rc1, 5.2.0.beta1, 5.2.0.beta2, 5.2.0.rc1, 5.2.0.rc2, 6.1.7.10, 6.1.7.7, 6.1.7.8, 6.1.7.9, 7.0.0.alpha1, 7.0.0.alpha2, 7.0.0.rc1, 7.0.0.rc2, 7.0.0.rc3, 7.0.8.1, 7.0.8.2, 7.0.8.3, 7.0.8.4, 7.0.8.5, 7.0.8.6, 7.0.8.7, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.3.1, 7.1.3.2, 7.1.3.3, 7.1.3.4, 7.1.4, 7.1.4.1, 7.1.4.2, 7.1.5, 7.1.5.1, 7.2.0, 7.2.0.beta1, 7.2.0.beta2, 7.2.0.beta3, 7.2.0.rc1, 7.2.1, 7.2.1.1, 7.2.1.2, 7.2.2, 7.2.2.1, 8.0.0, 8.0.0.1, 8.0.0.beta1, 8.0.0.rc1, 8.0.0.rc2, 8.0.1, 8.0.2]
Recommendation:
Update to version 8.0.2.
Rails Denial of Service vulnerability
Published date: 2017-10-24T18:33:38Z
CVE: CVE-2006-4112
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2006-4112
- https://github.com/advisories/GHSA-9wrq-xvmp-xjc8
- https://exchange.xforce.ibmcloud.com/vulnerabilities/28364
- http://secunia.com/advisories/21424
- http://secunia.com/advisories/21466
- http://secunia.com/advisories/21749
- http://securitytracker.com/id?1016673
- http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure
- http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml
- http://www.kb.cert.org/vuls/id/699540
- http://www.novell.com/linux/security/advisories/2006_21_sr.html
- http://www.securityfocus.com/archive/1/442934/100/0/threaded
- http://www.securityfocus.com/bid/19454
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2006-4112.yml
- https://web.archive.org/web/20200301174340/http://www.securityfocus.com/bid/19454
- https://web.archive.org/web/20200804225700/http://www.securityfocus.com/archive/1/442934/100/0/threaded
- https://web.archive.org/web/20200808083046/http://securitytracker.com/id?1016673
Unspecified vulnerability in the dependency resolution mechanism
in Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby code via a URL that is not properly handled in the routing code, which leads to a denial of service (application hang) or data loss,
a different vulnerability than CVE-2006-4111.
Affected versions:
["1.1.5", "1.1.3", "1.1.4", "1.1.2", "1.1.1", "1.1.0"]
Secure versions:
[3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.2.22, 3.2.22.1, 3.2.22.2, 3.2.22.3, 3.2.22.4, 3.2.22.5, 4.0.0.beta1, 4.0.0.rc1, 4.0.0.rc2, 4.0.10, 4.0.10.rc1, 4.0.10.rc2, 4.0.11, 4.0.11.1, 4.0.12, 4.0.13, 4.0.13.rc1, 4.0.3, 4.0.4, 4.0.4.rc1, 4.0.5, 4.0.6, 4.0.6.rc1, 4.0.6.rc2, 4.0.6.rc3, 4.0.7, 4.0.8, 4.0.9, 4.1.0, 4.1.0.beta1, 4.1.0.beta2, 4.1.0.rc1, 4.1.0.rc2, 4.1.1, 4.1.10, 4.1.10.rc1, 4.1.10.rc2, 4.1.10.rc3, 4.1.10.rc4, 4.1.11, 4.1.12, 4.1.12.rc1, 4.1.13, 4.1.13.rc1, 4.1.14, 4.1.14.1, 4.1.14.2, 4.1.14.rc1, 4.1.14.rc2, 4.1.15, 4.1.15.rc1, 4.1.16, 4.1.16.rc1, 4.1.2, 4.1.2.rc1, 4.1.2.rc2, 4.1.2.rc3, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.6.rc1, 4.1.6.rc2, 4.1.7, 4.1.7.1, 4.1.8, 4.1.9, 4.1.9.rc1, 4.2.0, 4.2.0.beta1, 4.2.0.beta2, 4.2.0.beta3, 4.2.0.beta4, 4.2.0.rc1, 4.2.0.rc2, 4.2.0.rc3, 4.2.1, 4.2.1.rc1, 4.2.1.rc2, 4.2.1.rc3, 4.2.1.rc4, 4.2.10, 4.2.10.rc1, 4.2.11, 4.2.11.1, 4.2.11.2, 4.2.11.3, 4.2.2, 4.2.3, 4.2.3.rc1, 4.2.4, 4.2.4.rc1, 4.2.5, 4.2.5.1, 4.2.5.2, 4.2.5.rc1, 4.2.5.rc2, 4.2.6, 4.2.6.rc1, 4.2.7, 4.2.7.1, 4.2.7.rc1, 4.2.8, 4.2.8.rc1, 4.2.9, 4.2.9.rc1, 4.2.9.rc2, 5.0.0, 5.0.0.1, 5.0.0.beta1, 5.0.0.beta1.1, 5.0.0.beta2, 5.0.0.beta3, 5.0.0.beta4, 5.0.0.racecar1, 5.0.0.rc1, 5.0.0.rc2, 5.0.1, 5.0.1.rc1, 5.0.1.rc2, 5.0.2, 5.0.2.rc1, 5.0.3, 5.0.4, 5.0.4.rc1, 5.0.5, 5.0.5.rc1, 5.0.5.rc2, 5.0.6, 5.0.6.rc1, 5.0.7, 5.0.7.1, 5.0.7.2, 5.1.0, 5.1.0.beta1, 5.1.0.rc1, 5.1.0.rc2, 5.1.1, 5.1.2, 5.1.2.rc1, 5.1.3, 5.1.3.rc1, 5.1.3.rc2, 5.1.3.rc3, 5.1.4, 5.1.4.rc1, 5.1.5, 5.1.5.rc1, 5.1.6, 5.1.6.1, 5.1.6.2, 5.1.7, 5.1.7.rc1, 5.2.0.beta1, 5.2.0.beta2, 5.2.0.rc1, 5.2.0.rc2, 6.1.7.10, 6.1.7.7, 6.1.7.8, 6.1.7.9, 7.0.0.alpha1, 7.0.0.alpha2, 7.0.0.rc1, 7.0.0.rc2, 7.0.0.rc3, 7.0.8.1, 7.0.8.2, 7.0.8.3, 7.0.8.4, 7.0.8.5, 7.0.8.6, 7.0.8.7, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.3.1, 7.1.3.2, 7.1.3.3, 7.1.3.4, 7.1.4, 7.1.4.1, 7.1.4.2, 7.1.5, 7.1.5.1, 7.2.0, 7.2.0.beta1, 7.2.0.beta2, 7.2.0.beta3, 7.2.0.rc1, 7.2.1, 7.2.1.1, 7.2.1.2, 7.2.2, 7.2.2.1, 8.0.0, 8.0.0.1, 8.0.0.beta1, 8.0.0.rc1, 8.0.0.rc2, 8.0.1, 8.0.2]
Recommendation:
Update to version 8.0.2.
Moderate severity vulnerability that affects rails
Published date: 2017-10-24T18:33:38Z
CVE: CVE-2007-5379
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2007-5379
- https://github.com/advisories/GHSA-fjfg-q662-gm6j
- http://bugs.gentoo.org/show_bug.cgi?id=195315
- http://dev.rubyonrails.org/ticket/8453
- http://docs.info.apple.com/article.html?artnum=307179
- http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html
- http://osvdb.org/40717
- http://secunia.com/advisories/27657
- http://secunia.com/advisories/28136
- http://security.gentoo.org/glsa/glsa-200711-17.xml
- http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release
- http://www.securityfocus.com/bid/26096
- http://www.us-cert.gov/cas/techalerts/TA07-352A.html
- http://www.vupen.com/english/advisories/2007/3508
- http://www.vupen.com/english/advisories/2007/4238
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2007-5379.yml
- https://rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release
- https://web.archive.org/web/20090602000500/http://dev.rubyonrails.org/ticket/8453
Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.fromxml (Hash#fromxml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file.
Affected versions:
["1.2.2", "1.1.6", "1.1.5", "1.1.3", "0.14.4", "0.14.2", "0.11.1", "0.11.0", "0.10.0", "0.9.4.1", "0.9.4", "0.9.2", "0.9.0", "1.2.3", "1.2.1", "1.2.0", "1.1.4", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.14.3", "0.14.1", "0.13.1", "0.13.0", "0.12.1", "0.12.0", "0.10.1", "0.9.5", "0.9.3", "0.9.1", "0.8.5", "0.8.0"]
Secure versions:
[3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.2.22, 3.2.22.1, 3.2.22.2, 3.2.22.3, 3.2.22.4, 3.2.22.5, 4.0.0.beta1, 4.0.0.rc1, 4.0.0.rc2, 4.0.10, 4.0.10.rc1, 4.0.10.rc2, 4.0.11, 4.0.11.1, 4.0.12, 4.0.13, 4.0.13.rc1, 4.0.3, 4.0.4, 4.0.4.rc1, 4.0.5, 4.0.6, 4.0.6.rc1, 4.0.6.rc2, 4.0.6.rc3, 4.0.7, 4.0.8, 4.0.9, 4.1.0, 4.1.0.beta1, 4.1.0.beta2, 4.1.0.rc1, 4.1.0.rc2, 4.1.1, 4.1.10, 4.1.10.rc1, 4.1.10.rc2, 4.1.10.rc3, 4.1.10.rc4, 4.1.11, 4.1.12, 4.1.12.rc1, 4.1.13, 4.1.13.rc1, 4.1.14, 4.1.14.1, 4.1.14.2, 4.1.14.rc1, 4.1.14.rc2, 4.1.15, 4.1.15.rc1, 4.1.16, 4.1.16.rc1, 4.1.2, 4.1.2.rc1, 4.1.2.rc2, 4.1.2.rc3, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.6.rc1, 4.1.6.rc2, 4.1.7, 4.1.7.1, 4.1.8, 4.1.9, 4.1.9.rc1, 4.2.0, 4.2.0.beta1, 4.2.0.beta2, 4.2.0.beta3, 4.2.0.beta4, 4.2.0.rc1, 4.2.0.rc2, 4.2.0.rc3, 4.2.1, 4.2.1.rc1, 4.2.1.rc2, 4.2.1.rc3, 4.2.1.rc4, 4.2.10, 4.2.10.rc1, 4.2.11, 4.2.11.1, 4.2.11.2, 4.2.11.3, 4.2.2, 4.2.3, 4.2.3.rc1, 4.2.4, 4.2.4.rc1, 4.2.5, 4.2.5.1, 4.2.5.2, 4.2.5.rc1, 4.2.5.rc2, 4.2.6, 4.2.6.rc1, 4.2.7, 4.2.7.1, 4.2.7.rc1, 4.2.8, 4.2.8.rc1, 4.2.9, 4.2.9.rc1, 4.2.9.rc2, 5.0.0, 5.0.0.1, 5.0.0.beta1, 5.0.0.beta1.1, 5.0.0.beta2, 5.0.0.beta3, 5.0.0.beta4, 5.0.0.racecar1, 5.0.0.rc1, 5.0.0.rc2, 5.0.1, 5.0.1.rc1, 5.0.1.rc2, 5.0.2, 5.0.2.rc1, 5.0.3, 5.0.4, 5.0.4.rc1, 5.0.5, 5.0.5.rc1, 5.0.5.rc2, 5.0.6, 5.0.6.rc1, 5.0.7, 5.0.7.1, 5.0.7.2, 5.1.0, 5.1.0.beta1, 5.1.0.rc1, 5.1.0.rc2, 5.1.1, 5.1.2, 5.1.2.rc1, 5.1.3, 5.1.3.rc1, 5.1.3.rc2, 5.1.3.rc3, 5.1.4, 5.1.4.rc1, 5.1.5, 5.1.5.rc1, 5.1.6, 5.1.6.1, 5.1.6.2, 5.1.7, 5.1.7.rc1, 5.2.0.beta1, 5.2.0.beta2, 5.2.0.rc1, 5.2.0.rc2, 6.1.7.10, 6.1.7.7, 6.1.7.8, 6.1.7.9, 7.0.0.alpha1, 7.0.0.alpha2, 7.0.0.rc1, 7.0.0.rc2, 7.0.0.rc3, 7.0.8.1, 7.0.8.2, 7.0.8.3, 7.0.8.4, 7.0.8.5, 7.0.8.6, 7.0.8.7, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.3.1, 7.1.3.2, 7.1.3.3, 7.1.3.4, 7.1.4, 7.1.4.1, 7.1.4.2, 7.1.5, 7.1.5.1, 7.2.0, 7.2.0.beta1, 7.2.0.beta2, 7.2.0.beta3, 7.2.0.rc1, 7.2.1, 7.2.1.1, 7.2.1.2, 7.2.2, 7.2.2.1, 8.0.0, 8.0.0.1, 8.0.0.beta1, 8.0.0.rc1, 8.0.0.rc2, 8.0.1, 8.0.2]
Recommendation:
Update to version 8.0.2.
Moderate severity vulnerability that affects rails
Published date: 2017-10-24T18:33:38Z
CVE: CVE-2007-3227
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2007-3227
- https://github.com/advisories/GHSA-gm25-fpmr-43fj
- http://bugs.gentoo.org/show_bug.cgi?id=195315
- http://dev.rubyonrails.org/ticket/8371
- http://osvdb.org/36378
- http://pastie.caboo.se/65550.txt
- http://secunia.com/advisories/25699
- http://secunia.com/advisories/27657
- http://secunia.com/advisories/27756
- http://security.gentoo.org/glsa/glsa-200711-17.xml
- http://weblog.rubyonrails.org/2007/10/12/rails-1-2-5-maintenance-release
- http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release
- http://www.novell.com/linux/security/advisories/2007_24_sr.html
- http://www.securityfocus.com/bid/24161
- http://www.vupen.com/english/advisories/2007/2216
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2007-3227.yml
Cross-site scripting (XSS) vulnerability in the tojson (ActiveRecord::Base#tojson) function in Ruby on Rails before edge 9606 allows remote attackers to inject arbitrary web script via the input values.
Affected versions:
["1.2.2", "1.1.6", "1.1.5", "1.1.3", "0.14.4", "0.14.2", "0.11.1", "0.11.0", "0.10.0", "0.9.4.1", "0.9.4", "0.9.2", "0.9.0", "1.2.4", "1.2.3", "1.2.1", "1.2.0", "1.1.4", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.14.3", "0.14.1", "0.13.1", "0.13.0", "0.12.1", "0.12.0", "0.10.1", "0.9.5", "0.9.3", "0.9.1", "0.8.5", "0.8.0"]
Secure versions:
[3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.2.22, 3.2.22.1, 3.2.22.2, 3.2.22.3, 3.2.22.4, 3.2.22.5, 4.0.0.beta1, 4.0.0.rc1, 4.0.0.rc2, 4.0.10, 4.0.10.rc1, 4.0.10.rc2, 4.0.11, 4.0.11.1, 4.0.12, 4.0.13, 4.0.13.rc1, 4.0.3, 4.0.4, 4.0.4.rc1, 4.0.5, 4.0.6, 4.0.6.rc1, 4.0.6.rc2, 4.0.6.rc3, 4.0.7, 4.0.8, 4.0.9, 4.1.0, 4.1.0.beta1, 4.1.0.beta2, 4.1.0.rc1, 4.1.0.rc2, 4.1.1, 4.1.10, 4.1.10.rc1, 4.1.10.rc2, 4.1.10.rc3, 4.1.10.rc4, 4.1.11, 4.1.12, 4.1.12.rc1, 4.1.13, 4.1.13.rc1, 4.1.14, 4.1.14.1, 4.1.14.2, 4.1.14.rc1, 4.1.14.rc2, 4.1.15, 4.1.15.rc1, 4.1.16, 4.1.16.rc1, 4.1.2, 4.1.2.rc1, 4.1.2.rc2, 4.1.2.rc3, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.6.rc1, 4.1.6.rc2, 4.1.7, 4.1.7.1, 4.1.8, 4.1.9, 4.1.9.rc1, 4.2.0, 4.2.0.beta1, 4.2.0.beta2, 4.2.0.beta3, 4.2.0.beta4, 4.2.0.rc1, 4.2.0.rc2, 4.2.0.rc3, 4.2.1, 4.2.1.rc1, 4.2.1.rc2, 4.2.1.rc3, 4.2.1.rc4, 4.2.10, 4.2.10.rc1, 4.2.11, 4.2.11.1, 4.2.11.2, 4.2.11.3, 4.2.2, 4.2.3, 4.2.3.rc1, 4.2.4, 4.2.4.rc1, 4.2.5, 4.2.5.1, 4.2.5.2, 4.2.5.rc1, 4.2.5.rc2, 4.2.6, 4.2.6.rc1, 4.2.7, 4.2.7.1, 4.2.7.rc1, 4.2.8, 4.2.8.rc1, 4.2.9, 4.2.9.rc1, 4.2.9.rc2, 5.0.0, 5.0.0.1, 5.0.0.beta1, 5.0.0.beta1.1, 5.0.0.beta2, 5.0.0.beta3, 5.0.0.beta4, 5.0.0.racecar1, 5.0.0.rc1, 5.0.0.rc2, 5.0.1, 5.0.1.rc1, 5.0.1.rc2, 5.0.2, 5.0.2.rc1, 5.0.3, 5.0.4, 5.0.4.rc1, 5.0.5, 5.0.5.rc1, 5.0.5.rc2, 5.0.6, 5.0.6.rc1, 5.0.7, 5.0.7.1, 5.0.7.2, 5.1.0, 5.1.0.beta1, 5.1.0.rc1, 5.1.0.rc2, 5.1.1, 5.1.2, 5.1.2.rc1, 5.1.3, 5.1.3.rc1, 5.1.3.rc2, 5.1.3.rc3, 5.1.4, 5.1.4.rc1, 5.1.5, 5.1.5.rc1, 5.1.6, 5.1.6.1, 5.1.6.2, 5.1.7, 5.1.7.rc1, 5.2.0.beta1, 5.2.0.beta2, 5.2.0.rc1, 5.2.0.rc2, 6.1.7.10, 6.1.7.7, 6.1.7.8, 6.1.7.9, 7.0.0.alpha1, 7.0.0.alpha2, 7.0.0.rc1, 7.0.0.rc2, 7.0.0.rc3, 7.0.8.1, 7.0.8.2, 7.0.8.3, 7.0.8.4, 7.0.8.5, 7.0.8.6, 7.0.8.7, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.3.1, 7.1.3.2, 7.1.3.3, 7.1.3.4, 7.1.4, 7.1.4.1, 7.1.4.2, 7.1.5, 7.1.5.1, 7.2.0, 7.2.0.beta1, 7.2.0.beta2, 7.2.0.beta3, 7.2.0.rc1, 7.2.1, 7.2.1.1, 7.2.1.2, 7.2.2, 7.2.2.1, 8.0.0, 8.0.0.1, 8.0.0.beta1, 8.0.0.rc1, 8.0.0.rc2, 8.0.1, 8.0.2]
Recommendation:
Update to version 8.0.2.
rails is vulnerable to CRLF injection
Published date: 2017-10-24T18:33:38Z
CVE: CVE-2008-5189
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2008-5189
- https://github.com/advisories/GHSA-jmgf-p46x-982h
- http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d
- http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html
- http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing
- http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk
- http://www.securityfocus.com/bid/32359
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2008-5189.yml
CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function.
Affected versions:
["2.0.1", "2.0.0", "1.2.5", "1.2.2", "1.1.6", "1.1.5", "1.1.3", "0.14.4", "0.14.2", "0.11.1", "0.11.0", "0.10.0", "0.9.4.1", "0.9.4", "0.9.2", "0.9.0", "2.0.4", "2.0.2", "1.2.6", "1.2.4", "1.2.3", "1.2.1", "1.2.0", "1.1.4", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.14.3", "0.14.1", "0.13.1", "0.13.0", "0.12.1", "0.12.0", "0.10.1", "0.9.5", "0.9.3", "0.9.1", "0.8.5", "0.8.0"]
Secure versions:
[3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.2.22, 3.2.22.1, 3.2.22.2, 3.2.22.3, 3.2.22.4, 3.2.22.5, 4.0.0.beta1, 4.0.0.rc1, 4.0.0.rc2, 4.0.10, 4.0.10.rc1, 4.0.10.rc2, 4.0.11, 4.0.11.1, 4.0.12, 4.0.13, 4.0.13.rc1, 4.0.3, 4.0.4, 4.0.4.rc1, 4.0.5, 4.0.6, 4.0.6.rc1, 4.0.6.rc2, 4.0.6.rc3, 4.0.7, 4.0.8, 4.0.9, 4.1.0, 4.1.0.beta1, 4.1.0.beta2, 4.1.0.rc1, 4.1.0.rc2, 4.1.1, 4.1.10, 4.1.10.rc1, 4.1.10.rc2, 4.1.10.rc3, 4.1.10.rc4, 4.1.11, 4.1.12, 4.1.12.rc1, 4.1.13, 4.1.13.rc1, 4.1.14, 4.1.14.1, 4.1.14.2, 4.1.14.rc1, 4.1.14.rc2, 4.1.15, 4.1.15.rc1, 4.1.16, 4.1.16.rc1, 4.1.2, 4.1.2.rc1, 4.1.2.rc2, 4.1.2.rc3, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.6.rc1, 4.1.6.rc2, 4.1.7, 4.1.7.1, 4.1.8, 4.1.9, 4.1.9.rc1, 4.2.0, 4.2.0.beta1, 4.2.0.beta2, 4.2.0.beta3, 4.2.0.beta4, 4.2.0.rc1, 4.2.0.rc2, 4.2.0.rc3, 4.2.1, 4.2.1.rc1, 4.2.1.rc2, 4.2.1.rc3, 4.2.1.rc4, 4.2.10, 4.2.10.rc1, 4.2.11, 4.2.11.1, 4.2.11.2, 4.2.11.3, 4.2.2, 4.2.3, 4.2.3.rc1, 4.2.4, 4.2.4.rc1, 4.2.5, 4.2.5.1, 4.2.5.2, 4.2.5.rc1, 4.2.5.rc2, 4.2.6, 4.2.6.rc1, 4.2.7, 4.2.7.1, 4.2.7.rc1, 4.2.8, 4.2.8.rc1, 4.2.9, 4.2.9.rc1, 4.2.9.rc2, 5.0.0, 5.0.0.1, 5.0.0.beta1, 5.0.0.beta1.1, 5.0.0.beta2, 5.0.0.beta3, 5.0.0.beta4, 5.0.0.racecar1, 5.0.0.rc1, 5.0.0.rc2, 5.0.1, 5.0.1.rc1, 5.0.1.rc2, 5.0.2, 5.0.2.rc1, 5.0.3, 5.0.4, 5.0.4.rc1, 5.0.5, 5.0.5.rc1, 5.0.5.rc2, 5.0.6, 5.0.6.rc1, 5.0.7, 5.0.7.1, 5.0.7.2, 5.1.0, 5.1.0.beta1, 5.1.0.rc1, 5.1.0.rc2, 5.1.1, 5.1.2, 5.1.2.rc1, 5.1.3, 5.1.3.rc1, 5.1.3.rc2, 5.1.3.rc3, 5.1.4, 5.1.4.rc1, 5.1.5, 5.1.5.rc1, 5.1.6, 5.1.6.1, 5.1.6.2, 5.1.7, 5.1.7.rc1, 5.2.0.beta1, 5.2.0.beta2, 5.2.0.rc1, 5.2.0.rc2, 6.1.7.10, 6.1.7.7, 6.1.7.8, 6.1.7.9, 7.0.0.alpha1, 7.0.0.alpha2, 7.0.0.rc1, 7.0.0.rc2, 7.0.0.rc3, 7.0.8.1, 7.0.8.2, 7.0.8.3, 7.0.8.4, 7.0.8.5, 7.0.8.6, 7.0.8.7, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.3.1, 7.1.3.2, 7.1.3.3, 7.1.3.4, 7.1.4, 7.1.4.1, 7.1.4.2, 7.1.5, 7.1.5.1, 7.2.0, 7.2.0.beta1, 7.2.0.beta2, 7.2.0.beta3, 7.2.0.rc1, 7.2.1, 7.2.1.1, 7.2.1.2, 7.2.2, 7.2.2.1, 8.0.0, 8.0.0.1, 8.0.0.beta1, 8.0.0.rc1, 8.0.0.rc2, 8.0.1, 8.0.2]
Recommendation:
Update to version 8.0.2.
Session fixation vulnerability in Rails
Published date: 2017-10-24T18:33:38Z
CVE: CVE-2007-5380
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2007-5380
- https://github.com/advisories/GHSA-jwhv-rgqc-fqj5
- http://bugs.gentoo.org/show_bug.cgi?id=195315
- http://docs.info.apple.com/article.html?artnum=307179
- http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html
- http://secunia.com/advisories/27657
- http://secunia.com/advisories/27965
- http://secunia.com/advisories/28136
- http://security.gentoo.org/glsa/glsa-200711-17.xml
- http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release
- http://www.novell.com/linux/security/advisories/2007_25_sr.html
- http://www.securityfocus.com/bid/26096
- http://www.us-cert.gov/cas/techalerts/TA07-352A.html
- http://www.vupen.com/english/advisories/2007/3508
- http://www.vupen.com/english/advisories/2007/4238
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2007-5380.yml
Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to URL-based sessions.
Affected versions:
["1.2.2", "1.1.6", "1.1.5", "1.1.3", "0.14.4", "0.14.2", "0.11.1", "0.11.0", "0.10.0", "0.9.4.1", "0.9.4", "0.9.2", "0.9.0", "1.2.3", "1.2.1", "1.2.0", "1.1.4", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.14.3", "0.14.1", "0.13.1", "0.13.0", "0.12.1", "0.12.0", "0.10.1", "0.9.5", "0.9.3", "0.9.1", "0.8.5", "0.8.0"]
Secure versions:
[3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.2.22, 3.2.22.1, 3.2.22.2, 3.2.22.3, 3.2.22.4, 3.2.22.5, 4.0.0.beta1, 4.0.0.rc1, 4.0.0.rc2, 4.0.10, 4.0.10.rc1, 4.0.10.rc2, 4.0.11, 4.0.11.1, 4.0.12, 4.0.13, 4.0.13.rc1, 4.0.3, 4.0.4, 4.0.4.rc1, 4.0.5, 4.0.6, 4.0.6.rc1, 4.0.6.rc2, 4.0.6.rc3, 4.0.7, 4.0.8, 4.0.9, 4.1.0, 4.1.0.beta1, 4.1.0.beta2, 4.1.0.rc1, 4.1.0.rc2, 4.1.1, 4.1.10, 4.1.10.rc1, 4.1.10.rc2, 4.1.10.rc3, 4.1.10.rc4, 4.1.11, 4.1.12, 4.1.12.rc1, 4.1.13, 4.1.13.rc1, 4.1.14, 4.1.14.1, 4.1.14.2, 4.1.14.rc1, 4.1.14.rc2, 4.1.15, 4.1.15.rc1, 4.1.16, 4.1.16.rc1, 4.1.2, 4.1.2.rc1, 4.1.2.rc2, 4.1.2.rc3, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.6.rc1, 4.1.6.rc2, 4.1.7, 4.1.7.1, 4.1.8, 4.1.9, 4.1.9.rc1, 4.2.0, 4.2.0.beta1, 4.2.0.beta2, 4.2.0.beta3, 4.2.0.beta4, 4.2.0.rc1, 4.2.0.rc2, 4.2.0.rc3, 4.2.1, 4.2.1.rc1, 4.2.1.rc2, 4.2.1.rc3, 4.2.1.rc4, 4.2.10, 4.2.10.rc1, 4.2.11, 4.2.11.1, 4.2.11.2, 4.2.11.3, 4.2.2, 4.2.3, 4.2.3.rc1, 4.2.4, 4.2.4.rc1, 4.2.5, 4.2.5.1, 4.2.5.2, 4.2.5.rc1, 4.2.5.rc2, 4.2.6, 4.2.6.rc1, 4.2.7, 4.2.7.1, 4.2.7.rc1, 4.2.8, 4.2.8.rc1, 4.2.9, 4.2.9.rc1, 4.2.9.rc2, 5.0.0, 5.0.0.1, 5.0.0.beta1, 5.0.0.beta1.1, 5.0.0.beta2, 5.0.0.beta3, 5.0.0.beta4, 5.0.0.racecar1, 5.0.0.rc1, 5.0.0.rc2, 5.0.1, 5.0.1.rc1, 5.0.1.rc2, 5.0.2, 5.0.2.rc1, 5.0.3, 5.0.4, 5.0.4.rc1, 5.0.5, 5.0.5.rc1, 5.0.5.rc2, 5.0.6, 5.0.6.rc1, 5.0.7, 5.0.7.1, 5.0.7.2, 5.1.0, 5.1.0.beta1, 5.1.0.rc1, 5.1.0.rc2, 5.1.1, 5.1.2, 5.1.2.rc1, 5.1.3, 5.1.3.rc1, 5.1.3.rc2, 5.1.3.rc3, 5.1.4, 5.1.4.rc1, 5.1.5, 5.1.5.rc1, 5.1.6, 5.1.6.1, 5.1.6.2, 5.1.7, 5.1.7.rc1, 5.2.0.beta1, 5.2.0.beta2, 5.2.0.rc1, 5.2.0.rc2, 6.1.7.10, 6.1.7.7, 6.1.7.8, 6.1.7.9, 7.0.0.alpha1, 7.0.0.alpha2, 7.0.0.rc1, 7.0.0.rc2, 7.0.0.rc3, 7.0.8.1, 7.0.8.2, 7.0.8.3, 7.0.8.4, 7.0.8.5, 7.0.8.6, 7.0.8.7, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.3.1, 7.1.3.2, 7.1.3.3, 7.1.3.4, 7.1.4, 7.1.4.1, 7.1.4.2, 7.1.5, 7.1.5.1, 7.2.0, 7.2.0.beta1, 7.2.0.beta2, 7.2.0.beta3, 7.2.0.rc1, 7.2.1, 7.2.1.1, 7.2.1.2, 7.2.2, 7.2.2.1, 8.0.0, 8.0.0.1, 8.0.0.beta1, 8.0.0.rc1, 8.0.0.rc2, 8.0.1, 8.0.2]
Recommendation:
Update to version 8.0.2.
session fixation protection mechanism in cgi_process.rb in Rails
Published date: 2017-10-24T18:33:38Z
CVE: CVE-2007-6077
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2007-6077
- https://github.com/advisories/GHSA-p4c6-77gc-694x
- http://dev.rubyonrails.org/changeset/8177
- http://dev.rubyonrails.org/ticket/10048
- http://docs.info.apple.com/article.html?artnum=307179
- http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html
- http://secunia.com/advisories/27781
- http://secunia.com/advisories/28136
- http://weblog.rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-release
- http://www.securityfocus.com/bid/26598
- http://www.us-cert.gov/cas/techalerts/TA07-352A.html
- http://www.vupen.com/english/advisories/2007/4009
- http://www.vupen.com/english/advisories/2007/4238
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2007-6077.yml
- https://rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-release
The session fixation protection mechanism in cgiprocess.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookieonly attribute from the DEFAULTSESSIONOPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380.
Affected versions:
["1.2.5", "1.2.2", "1.1.6", "1.1.5", "1.1.3", "0.14.4", "0.14.2", "0.11.1", "0.11.0", "0.10.0", "0.9.4.1", "0.9.4", "0.9.2", "0.9.0", "1.2.4", "1.2.3", "1.2.1", "1.2.0", "1.1.4", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.14.3", "0.14.1", "0.13.1", "0.13.0", "0.12.1", "0.12.0", "0.10.1", "0.9.5", "0.9.3", "0.9.1", "0.8.5", "0.8.0"]
Secure versions:
[3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.2.22, 3.2.22.1, 3.2.22.2, 3.2.22.3, 3.2.22.4, 3.2.22.5, 4.0.0.beta1, 4.0.0.rc1, 4.0.0.rc2, 4.0.10, 4.0.10.rc1, 4.0.10.rc2, 4.0.11, 4.0.11.1, 4.0.12, 4.0.13, 4.0.13.rc1, 4.0.3, 4.0.4, 4.0.4.rc1, 4.0.5, 4.0.6, 4.0.6.rc1, 4.0.6.rc2, 4.0.6.rc3, 4.0.7, 4.0.8, 4.0.9, 4.1.0, 4.1.0.beta1, 4.1.0.beta2, 4.1.0.rc1, 4.1.0.rc2, 4.1.1, 4.1.10, 4.1.10.rc1, 4.1.10.rc2, 4.1.10.rc3, 4.1.10.rc4, 4.1.11, 4.1.12, 4.1.12.rc1, 4.1.13, 4.1.13.rc1, 4.1.14, 4.1.14.1, 4.1.14.2, 4.1.14.rc1, 4.1.14.rc2, 4.1.15, 4.1.15.rc1, 4.1.16, 4.1.16.rc1, 4.1.2, 4.1.2.rc1, 4.1.2.rc2, 4.1.2.rc3, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.6.rc1, 4.1.6.rc2, 4.1.7, 4.1.7.1, 4.1.8, 4.1.9, 4.1.9.rc1, 4.2.0, 4.2.0.beta1, 4.2.0.beta2, 4.2.0.beta3, 4.2.0.beta4, 4.2.0.rc1, 4.2.0.rc2, 4.2.0.rc3, 4.2.1, 4.2.1.rc1, 4.2.1.rc2, 4.2.1.rc3, 4.2.1.rc4, 4.2.10, 4.2.10.rc1, 4.2.11, 4.2.11.1, 4.2.11.2, 4.2.11.3, 4.2.2, 4.2.3, 4.2.3.rc1, 4.2.4, 4.2.4.rc1, 4.2.5, 4.2.5.1, 4.2.5.2, 4.2.5.rc1, 4.2.5.rc2, 4.2.6, 4.2.6.rc1, 4.2.7, 4.2.7.1, 4.2.7.rc1, 4.2.8, 4.2.8.rc1, 4.2.9, 4.2.9.rc1, 4.2.9.rc2, 5.0.0, 5.0.0.1, 5.0.0.beta1, 5.0.0.beta1.1, 5.0.0.beta2, 5.0.0.beta3, 5.0.0.beta4, 5.0.0.racecar1, 5.0.0.rc1, 5.0.0.rc2, 5.0.1, 5.0.1.rc1, 5.0.1.rc2, 5.0.2, 5.0.2.rc1, 5.0.3, 5.0.4, 5.0.4.rc1, 5.0.5, 5.0.5.rc1, 5.0.5.rc2, 5.0.6, 5.0.6.rc1, 5.0.7, 5.0.7.1, 5.0.7.2, 5.1.0, 5.1.0.beta1, 5.1.0.rc1, 5.1.0.rc2, 5.1.1, 5.1.2, 5.1.2.rc1, 5.1.3, 5.1.3.rc1, 5.1.3.rc2, 5.1.3.rc3, 5.1.4, 5.1.4.rc1, 5.1.5, 5.1.5.rc1, 5.1.6, 5.1.6.1, 5.1.6.2, 5.1.7, 5.1.7.rc1, 5.2.0.beta1, 5.2.0.beta2, 5.2.0.rc1, 5.2.0.rc2, 6.1.7.10, 6.1.7.7, 6.1.7.8, 6.1.7.9, 7.0.0.alpha1, 7.0.0.alpha2, 7.0.0.rc1, 7.0.0.rc2, 7.0.0.rc3, 7.0.8.1, 7.0.8.2, 7.0.8.3, 7.0.8.4, 7.0.8.5, 7.0.8.6, 7.0.8.7, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.3.1, 7.1.3.2, 7.1.3.3, 7.1.3.4, 7.1.4, 7.1.4.1, 7.1.4.2, 7.1.5, 7.1.5.1, 7.2.0, 7.2.0.beta1, 7.2.0.beta2, 7.2.0.beta3, 7.2.0.rc1, 7.2.1, 7.2.1.1, 7.2.1.2, 7.2.2, 7.2.2.1, 8.0.0, 8.0.0.1, 8.0.0.beta1, 8.0.0.rc1, 8.0.0.rc2, 8.0.1, 8.0.2]
Recommendation:
Update to version 8.0.2.
Cross site scripting in rails
Published date: 2022-04-22T00:24:28Z
CVE: CVE-2011-1497
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2011-1497
- https://github.com/rails/rails/blob/38df020c95beca7e12f0188cb7e18f3c37789e20/actionpack/CHANGELOG
- https://www.openwall.com/lists/oss-security/2011/04/06/13
- https://github.com/advisories/GHSA-q58j-fmvf-9rq6
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-1497.yml
A cross-site scripting vulnerability flaw was found in the auto_link function in Rails before version 3.0.6.
Affected versions:
["3.0.6.rc2", "3.0.6.rc1", "3.0.5", "3.0.5.rc1", "3.0.4", "3.0.4.rc1", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0.rc2", "3.0.0.rc", "3.0.0.beta4", "3.0.0.beta3", "3.0.0.beta2", "3.0.0.beta", "2.3.18", "2.3.17", "2.3.16", "2.3.15", "2.3.14", "2.3.12", "2.3.11", "2.3.10", "2.3.9", "2.3.9.pre", "2.3.8", "2.3.8.pre1", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.2.3", "2.2.2", "2.1.2", "2.1.1", "2.1.0", "2.0.5", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "1.2.6", "1.2.5", "1.2.4", "1.2.3", "1.2.2", "1.2.1", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.13.1", "0.13.0", "0.12.1", "0.12.0", "0.11.1", "0.11.0", "0.10.1", "0.10.0", "0.9.5", "0.9.4.1", "0.9.4", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.5", "0.8.0"]
Secure versions:
[3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.2.22, 3.2.22.1, 3.2.22.2, 3.2.22.3, 3.2.22.4, 3.2.22.5, 4.0.0.beta1, 4.0.0.rc1, 4.0.0.rc2, 4.0.10, 4.0.10.rc1, 4.0.10.rc2, 4.0.11, 4.0.11.1, 4.0.12, 4.0.13, 4.0.13.rc1, 4.0.3, 4.0.4, 4.0.4.rc1, 4.0.5, 4.0.6, 4.0.6.rc1, 4.0.6.rc2, 4.0.6.rc3, 4.0.7, 4.0.8, 4.0.9, 4.1.0, 4.1.0.beta1, 4.1.0.beta2, 4.1.0.rc1, 4.1.0.rc2, 4.1.1, 4.1.10, 4.1.10.rc1, 4.1.10.rc2, 4.1.10.rc3, 4.1.10.rc4, 4.1.11, 4.1.12, 4.1.12.rc1, 4.1.13, 4.1.13.rc1, 4.1.14, 4.1.14.1, 4.1.14.2, 4.1.14.rc1, 4.1.14.rc2, 4.1.15, 4.1.15.rc1, 4.1.16, 4.1.16.rc1, 4.1.2, 4.1.2.rc1, 4.1.2.rc2, 4.1.2.rc3, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.6.rc1, 4.1.6.rc2, 4.1.7, 4.1.7.1, 4.1.8, 4.1.9, 4.1.9.rc1, 4.2.0, 4.2.0.beta1, 4.2.0.beta2, 4.2.0.beta3, 4.2.0.beta4, 4.2.0.rc1, 4.2.0.rc2, 4.2.0.rc3, 4.2.1, 4.2.1.rc1, 4.2.1.rc2, 4.2.1.rc3, 4.2.1.rc4, 4.2.10, 4.2.10.rc1, 4.2.11, 4.2.11.1, 4.2.11.2, 4.2.11.3, 4.2.2, 4.2.3, 4.2.3.rc1, 4.2.4, 4.2.4.rc1, 4.2.5, 4.2.5.1, 4.2.5.2, 4.2.5.rc1, 4.2.5.rc2, 4.2.6, 4.2.6.rc1, 4.2.7, 4.2.7.1, 4.2.7.rc1, 4.2.8, 4.2.8.rc1, 4.2.9, 4.2.9.rc1, 4.2.9.rc2, 5.0.0, 5.0.0.1, 5.0.0.beta1, 5.0.0.beta1.1, 5.0.0.beta2, 5.0.0.beta3, 5.0.0.beta4, 5.0.0.racecar1, 5.0.0.rc1, 5.0.0.rc2, 5.0.1, 5.0.1.rc1, 5.0.1.rc2, 5.0.2, 5.0.2.rc1, 5.0.3, 5.0.4, 5.0.4.rc1, 5.0.5, 5.0.5.rc1, 5.0.5.rc2, 5.0.6, 5.0.6.rc1, 5.0.7, 5.0.7.1, 5.0.7.2, 5.1.0, 5.1.0.beta1, 5.1.0.rc1, 5.1.0.rc2, 5.1.1, 5.1.2, 5.1.2.rc1, 5.1.3, 5.1.3.rc1, 5.1.3.rc2, 5.1.3.rc3, 5.1.4, 5.1.4.rc1, 5.1.5, 5.1.5.rc1, 5.1.6, 5.1.6.1, 5.1.6.2, 5.1.7, 5.1.7.rc1, 5.2.0.beta1, 5.2.0.beta2, 5.2.0.rc1, 5.2.0.rc2, 6.1.7.10, 6.1.7.7, 6.1.7.8, 6.1.7.9, 7.0.0.alpha1, 7.0.0.alpha2, 7.0.0.rc1, 7.0.0.rc2, 7.0.0.rc3, 7.0.8.1, 7.0.8.2, 7.0.8.3, 7.0.8.4, 7.0.8.5, 7.0.8.6, 7.0.8.7, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.3.1, 7.1.3.2, 7.1.3.3, 7.1.3.4, 7.1.4, 7.1.4.1, 7.1.4.2, 7.1.5, 7.1.5.1, 7.2.0, 7.2.0.beta1, 7.2.0.beta2, 7.2.0.beta3, 7.2.0.rc1, 7.2.1, 7.2.1.1, 7.2.1.2, 7.2.2, 7.2.2.1, 8.0.0, 8.0.0.1, 8.0.0.beta1, 8.0.0.rc1, 8.0.0.rc2, 8.0.1, 8.0.2]
Recommendation:
Update to version 8.0.2.
Ruby on Rails vulnerable to code injection
Published date: 2017-10-24T18:33:38Z
CVE: CVE-2006-4111
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2006-4111
- https://github.com/advisories/GHSA-rvpq-5xqx-pfpp
- http://blog.koehntopp.de/archives/1367-Ruby-On-Rails-Mandatory-Mystery-Patch.html
- http://secunia.com/advisories/21466
- http://secunia.com/advisories/21749
- http://securitytracker.com/id?1016673
- http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits
- http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml
- http://www.novell.com/linux/security/advisories/2006_21_sr.html
- http://www.securityfocus.com/bid/19454
- http://www.vupen.com/english/advisories/2006/3237
- https://github.com/presidentbeef/rails-security-history/blob/master/vulnerabilities.md
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2006-4111.yml
- https://web.archive.org/web/20200301174340/http://www.securityfocus.com/bid/19454
- https://web.archive.org/web/20200808083046/http://securitytracker.com/id?1016673
Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with severe
or serious
impact via a File Upload request with an HTTP header that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112.
Affected versions:
["1.1.5", "1.1.3", "1.1.4", "1.1.2", "1.1.1", "1.1.0"]
Secure versions:
[3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.2.22, 3.2.22.1, 3.2.22.2, 3.2.22.3, 3.2.22.4, 3.2.22.5, 4.0.0.beta1, 4.0.0.rc1, 4.0.0.rc2, 4.0.10, 4.0.10.rc1, 4.0.10.rc2, 4.0.11, 4.0.11.1, 4.0.12, 4.0.13, 4.0.13.rc1, 4.0.3, 4.0.4, 4.0.4.rc1, 4.0.5, 4.0.6, 4.0.6.rc1, 4.0.6.rc2, 4.0.6.rc3, 4.0.7, 4.0.8, 4.0.9, 4.1.0, 4.1.0.beta1, 4.1.0.beta2, 4.1.0.rc1, 4.1.0.rc2, 4.1.1, 4.1.10, 4.1.10.rc1, 4.1.10.rc2, 4.1.10.rc3, 4.1.10.rc4, 4.1.11, 4.1.12, 4.1.12.rc1, 4.1.13, 4.1.13.rc1, 4.1.14, 4.1.14.1, 4.1.14.2, 4.1.14.rc1, 4.1.14.rc2, 4.1.15, 4.1.15.rc1, 4.1.16, 4.1.16.rc1, 4.1.2, 4.1.2.rc1, 4.1.2.rc2, 4.1.2.rc3, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.6.rc1, 4.1.6.rc2, 4.1.7, 4.1.7.1, 4.1.8, 4.1.9, 4.1.9.rc1, 4.2.0, 4.2.0.beta1, 4.2.0.beta2, 4.2.0.beta3, 4.2.0.beta4, 4.2.0.rc1, 4.2.0.rc2, 4.2.0.rc3, 4.2.1, 4.2.1.rc1, 4.2.1.rc2, 4.2.1.rc3, 4.2.1.rc4, 4.2.10, 4.2.10.rc1, 4.2.11, 4.2.11.1, 4.2.11.2, 4.2.11.3, 4.2.2, 4.2.3, 4.2.3.rc1, 4.2.4, 4.2.4.rc1, 4.2.5, 4.2.5.1, 4.2.5.2, 4.2.5.rc1, 4.2.5.rc2, 4.2.6, 4.2.6.rc1, 4.2.7, 4.2.7.1, 4.2.7.rc1, 4.2.8, 4.2.8.rc1, 4.2.9, 4.2.9.rc1, 4.2.9.rc2, 5.0.0, 5.0.0.1, 5.0.0.beta1, 5.0.0.beta1.1, 5.0.0.beta2, 5.0.0.beta3, 5.0.0.beta4, 5.0.0.racecar1, 5.0.0.rc1, 5.0.0.rc2, 5.0.1, 5.0.1.rc1, 5.0.1.rc2, 5.0.2, 5.0.2.rc1, 5.0.3, 5.0.4, 5.0.4.rc1, 5.0.5, 5.0.5.rc1, 5.0.5.rc2, 5.0.6, 5.0.6.rc1, 5.0.7, 5.0.7.1, 5.0.7.2, 5.1.0, 5.1.0.beta1, 5.1.0.rc1, 5.1.0.rc2, 5.1.1, 5.1.2, 5.1.2.rc1, 5.1.3, 5.1.3.rc1, 5.1.3.rc2, 5.1.3.rc3, 5.1.4, 5.1.4.rc1, 5.1.5, 5.1.5.rc1, 5.1.6, 5.1.6.1, 5.1.6.2, 5.1.7, 5.1.7.rc1, 5.2.0.beta1, 5.2.0.beta2, 5.2.0.rc1, 5.2.0.rc2, 6.1.7.10, 6.1.7.7, 6.1.7.8, 6.1.7.9, 7.0.0.alpha1, 7.0.0.alpha2, 7.0.0.rc1, 7.0.0.rc2, 7.0.0.rc3, 7.0.8.1, 7.0.8.2, 7.0.8.3, 7.0.8.4, 7.0.8.5, 7.0.8.6, 7.0.8.7, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.3.1, 7.1.3.2, 7.1.3.3, 7.1.3.4, 7.1.4, 7.1.4.1, 7.1.4.2, 7.1.5, 7.1.5.1, 7.2.0, 7.2.0.beta1, 7.2.0.beta2, 7.2.0.beta3, 7.2.0.rc1, 7.2.1, 7.2.1.1, 7.2.1.2, 7.2.2, 7.2.2.1, 8.0.0, 8.0.0.1, 8.0.0.beta1, 8.0.0.rc1, 8.0.0.rc2, 8.0.1, 8.0.2]
Recommendation:
Update to version 8.0.2.
rails vulnerable to improper authentication
Published date: 2017-10-24T18:33:38Z
CVE: CVE-2009-2422
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2009-2422
- https://github.com/advisories/GHSA-rxq3-gm4p-5fj4
- https://exchange.xforce.ibmcloud.com/vulnerabilities/51528
- http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
- http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s
- http://secunia.com/advisories/35702
- http://support.apple.com/kb/HT4077
- http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest
- http://www.securityfocus.com/bid/35579
- http://www.vupen.com/english/advisories/2009/1802
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2009-2422.yml
- https://web.archive.org/web/20090711160153/http://secunia.com/advisories/35702
- https://web.archive.org/web/20200229192617/http://www.securityfocus.com/bid/35579
The example code for the digest authentication functionality (httpauthentication.rb) in Ruby on Rails before 2.3.3 defines an authenticateorrequestwithhttpdigest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password.
Affected versions:
["2.2.2", "2.1.2", "2.0.5", "2.0.1", "2.0.0", "1.2.5", "1.2.2", "1.1.6", "1.1.5", "1.1.3", "0.14.4", "0.14.2", "0.11.1", "0.11.0", "0.10.0", "0.9.4.1", "0.9.4", "0.9.2", "0.9.0", "2.3.2", "2.2.3", "2.1.1", "2.1.0", "2.0.4", "2.0.2", "1.2.6", "1.2.4", "1.2.3", "1.2.1", "1.2.0", "1.1.4", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.14.3", "0.14.1", "0.13.1", "0.13.0", "0.12.1", "0.12.0", "0.10.1", "0.9.5", "0.9.3", "0.9.1", "0.8.5", "0.8.0"]
Secure versions:
[3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.2.22, 3.2.22.1, 3.2.22.2, 3.2.22.3, 3.2.22.4, 3.2.22.5, 4.0.0.beta1, 4.0.0.rc1, 4.0.0.rc2, 4.0.10, 4.0.10.rc1, 4.0.10.rc2, 4.0.11, 4.0.11.1, 4.0.12, 4.0.13, 4.0.13.rc1, 4.0.3, 4.0.4, 4.0.4.rc1, 4.0.5, 4.0.6, 4.0.6.rc1, 4.0.6.rc2, 4.0.6.rc3, 4.0.7, 4.0.8, 4.0.9, 4.1.0, 4.1.0.beta1, 4.1.0.beta2, 4.1.0.rc1, 4.1.0.rc2, 4.1.1, 4.1.10, 4.1.10.rc1, 4.1.10.rc2, 4.1.10.rc3, 4.1.10.rc4, 4.1.11, 4.1.12, 4.1.12.rc1, 4.1.13, 4.1.13.rc1, 4.1.14, 4.1.14.1, 4.1.14.2, 4.1.14.rc1, 4.1.14.rc2, 4.1.15, 4.1.15.rc1, 4.1.16, 4.1.16.rc1, 4.1.2, 4.1.2.rc1, 4.1.2.rc2, 4.1.2.rc3, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.6.rc1, 4.1.6.rc2, 4.1.7, 4.1.7.1, 4.1.8, 4.1.9, 4.1.9.rc1, 4.2.0, 4.2.0.beta1, 4.2.0.beta2, 4.2.0.beta3, 4.2.0.beta4, 4.2.0.rc1, 4.2.0.rc2, 4.2.0.rc3, 4.2.1, 4.2.1.rc1, 4.2.1.rc2, 4.2.1.rc3, 4.2.1.rc4, 4.2.10, 4.2.10.rc1, 4.2.11, 4.2.11.1, 4.2.11.2, 4.2.11.3, 4.2.2, 4.2.3, 4.2.3.rc1, 4.2.4, 4.2.4.rc1, 4.2.5, 4.2.5.1, 4.2.5.2, 4.2.5.rc1, 4.2.5.rc2, 4.2.6, 4.2.6.rc1, 4.2.7, 4.2.7.1, 4.2.7.rc1, 4.2.8, 4.2.8.rc1, 4.2.9, 4.2.9.rc1, 4.2.9.rc2, 5.0.0, 5.0.0.1, 5.0.0.beta1, 5.0.0.beta1.1, 5.0.0.beta2, 5.0.0.beta3, 5.0.0.beta4, 5.0.0.racecar1, 5.0.0.rc1, 5.0.0.rc2, 5.0.1, 5.0.1.rc1, 5.0.1.rc2, 5.0.2, 5.0.2.rc1, 5.0.3, 5.0.4, 5.0.4.rc1, 5.0.5, 5.0.5.rc1, 5.0.5.rc2, 5.0.6, 5.0.6.rc1, 5.0.7, 5.0.7.1, 5.0.7.2, 5.1.0, 5.1.0.beta1, 5.1.0.rc1, 5.1.0.rc2, 5.1.1, 5.1.2, 5.1.2.rc1, 5.1.3, 5.1.3.rc1, 5.1.3.rc2, 5.1.3.rc3, 5.1.4, 5.1.4.rc1, 5.1.5, 5.1.5.rc1, 5.1.6, 5.1.6.1, 5.1.6.2, 5.1.7, 5.1.7.rc1, 5.2.0.beta1, 5.2.0.beta2, 5.2.0.rc1, 5.2.0.rc2, 6.1.7.10, 6.1.7.7, 6.1.7.8, 6.1.7.9, 7.0.0.alpha1, 7.0.0.alpha2, 7.0.0.rc1, 7.0.0.rc2, 7.0.0.rc3, 7.0.8.1, 7.0.8.2, 7.0.8.3, 7.0.8.4, 7.0.8.5, 7.0.8.6, 7.0.8.7, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.3.1, 7.1.3.2, 7.1.3.3, 7.1.3.4, 7.1.4, 7.1.4.1, 7.1.4.2, 7.1.5, 7.1.5.1, 7.2.0, 7.2.0.beta1, 7.2.0.beta2, 7.2.0.beta3, 7.2.0.rc1, 7.2.1, 7.2.1.1, 7.2.1.2, 7.2.2, 7.2.2.1, 8.0.0, 8.0.0.1, 8.0.0.beta1, 8.0.0.rc1, 8.0.0.rc2, 8.0.1, 8.0.2]
Recommendation:
Update to version 8.0.2.
rails vulnerable to SQL injection
Published date: 2017-10-24T18:33:38Z
CVE: CVE-2008-4094
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2008-4094
- https://github.com/advisories/GHSA-xf96-32q2-9rw2
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45109
- http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1
- http://gist.github.com/8946
- http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html
- http://rails.lighthouseapp.com/projects/8994/tickets/288
- http://rails.lighthouseapp.com/projects/8994/tickets/964
- http://secunia.com/advisories/31875
- http://secunia.com/advisories/31909
- http://secunia.com/advisories/31910
- http://www.openwall.com/lists/oss-security/2008/09/13/2
- http://www.openwall.com/lists/oss-security/2008/09/16/1
- http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/
- http://www.securityfocus.com/bid/31176
- http://www.securitytracker.com/id?1020871
- http://www.vupen.com/english/advisories/2008/2562
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2008-4094.yml
- http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter
Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.
Affected versions:
["2.1.0", "2.0.5", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "1.2.6", "1.2.5", "1.2.4", "1.2.3", "1.2.2", "1.2.1", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.13.1", "0.13.0", "0.12.1", "0.12.0", "0.11.1", "0.11.0", "0.10.1", "0.10.0", "0.9.5", "0.9.4.1", "0.9.4", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.5", "0.8.0"]
Secure versions:
[3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.2.22, 3.2.22.1, 3.2.22.2, 3.2.22.3, 3.2.22.4, 3.2.22.5, 4.0.0.beta1, 4.0.0.rc1, 4.0.0.rc2, 4.0.10, 4.0.10.rc1, 4.0.10.rc2, 4.0.11, 4.0.11.1, 4.0.12, 4.0.13, 4.0.13.rc1, 4.0.3, 4.0.4, 4.0.4.rc1, 4.0.5, 4.0.6, 4.0.6.rc1, 4.0.6.rc2, 4.0.6.rc3, 4.0.7, 4.0.8, 4.0.9, 4.1.0, 4.1.0.beta1, 4.1.0.beta2, 4.1.0.rc1, 4.1.0.rc2, 4.1.1, 4.1.10, 4.1.10.rc1, 4.1.10.rc2, 4.1.10.rc3, 4.1.10.rc4, 4.1.11, 4.1.12, 4.1.12.rc1, 4.1.13, 4.1.13.rc1, 4.1.14, 4.1.14.1, 4.1.14.2, 4.1.14.rc1, 4.1.14.rc2, 4.1.15, 4.1.15.rc1, 4.1.16, 4.1.16.rc1, 4.1.2, 4.1.2.rc1, 4.1.2.rc2, 4.1.2.rc3, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.6.rc1, 4.1.6.rc2, 4.1.7, 4.1.7.1, 4.1.8, 4.1.9, 4.1.9.rc1, 4.2.0, 4.2.0.beta1, 4.2.0.beta2, 4.2.0.beta3, 4.2.0.beta4, 4.2.0.rc1, 4.2.0.rc2, 4.2.0.rc3, 4.2.1, 4.2.1.rc1, 4.2.1.rc2, 4.2.1.rc3, 4.2.1.rc4, 4.2.10, 4.2.10.rc1, 4.2.11, 4.2.11.1, 4.2.11.2, 4.2.11.3, 4.2.2, 4.2.3, 4.2.3.rc1, 4.2.4, 4.2.4.rc1, 4.2.5, 4.2.5.1, 4.2.5.2, 4.2.5.rc1, 4.2.5.rc2, 4.2.6, 4.2.6.rc1, 4.2.7, 4.2.7.1, 4.2.7.rc1, 4.2.8, 4.2.8.rc1, 4.2.9, 4.2.9.rc1, 4.2.9.rc2, 5.0.0, 5.0.0.1, 5.0.0.beta1, 5.0.0.beta1.1, 5.0.0.beta2, 5.0.0.beta3, 5.0.0.beta4, 5.0.0.racecar1, 5.0.0.rc1, 5.0.0.rc2, 5.0.1, 5.0.1.rc1, 5.0.1.rc2, 5.0.2, 5.0.2.rc1, 5.0.3, 5.0.4, 5.0.4.rc1, 5.0.5, 5.0.5.rc1, 5.0.5.rc2, 5.0.6, 5.0.6.rc1, 5.0.7, 5.0.7.1, 5.0.7.2, 5.1.0, 5.1.0.beta1, 5.1.0.rc1, 5.1.0.rc2, 5.1.1, 5.1.2, 5.1.2.rc1, 5.1.3, 5.1.3.rc1, 5.1.3.rc2, 5.1.3.rc3, 5.1.4, 5.1.4.rc1, 5.1.5, 5.1.5.rc1, 5.1.6, 5.1.6.1, 5.1.6.2, 5.1.7, 5.1.7.rc1, 5.2.0.beta1, 5.2.0.beta2, 5.2.0.rc1, 5.2.0.rc2, 6.1.7.10, 6.1.7.7, 6.1.7.8, 6.1.7.9, 7.0.0.alpha1, 7.0.0.alpha2, 7.0.0.rc1, 7.0.0.rc2, 7.0.0.rc3, 7.0.8.1, 7.0.8.2, 7.0.8.3, 7.0.8.4, 7.0.8.5, 7.0.8.6, 7.0.8.7, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.3.1, 7.1.3.2, 7.1.3.3, 7.1.3.4, 7.1.4, 7.1.4.1, 7.1.4.2, 7.1.5, 7.1.5.1, 7.2.0, 7.2.0.beta1, 7.2.0.beta2, 7.2.0.beta3, 7.2.0.rc1, 7.2.1, 7.2.1.1, 7.2.1.2, 7.2.2, 7.2.2.1, 8.0.0, 8.0.0.1, 8.0.0.beta1, 8.0.0.rc1, 8.0.0.rc2, 8.0.1, 8.0.2]
Recommendation:
Update to version 8.0.2.
High severity vulnerability that affects rails
Published date: 2017-10-24
CVE: 2006-4111
CVSS V2: 7.5
Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code
with severe
or serious
impact via a File Upload request with an HTTP header
that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112.
Affected versions:
["1.1.5", "1.1.3", "1.1.4", "1.1.2", "1.1.1", "1.1.0"]
Secure versions:
[3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.2.22, 3.2.22.1, 3.2.22.2, 3.2.22.3, 3.2.22.4, 3.2.22.5, 4.0.0.beta1, 4.0.0.rc1, 4.0.0.rc2, 4.0.10, 4.0.10.rc1, 4.0.10.rc2, 4.0.11, 4.0.11.1, 4.0.12, 4.0.13, 4.0.13.rc1, 4.0.3, 4.0.4, 4.0.4.rc1, 4.0.5, 4.0.6, 4.0.6.rc1, 4.0.6.rc2, 4.0.6.rc3, 4.0.7, 4.0.8, 4.0.9, 4.1.0, 4.1.0.beta1, 4.1.0.beta2, 4.1.0.rc1, 4.1.0.rc2, 4.1.1, 4.1.10, 4.1.10.rc1, 4.1.10.rc2, 4.1.10.rc3, 4.1.10.rc4, 4.1.11, 4.1.12, 4.1.12.rc1, 4.1.13, 4.1.13.rc1, 4.1.14, 4.1.14.1, 4.1.14.2, 4.1.14.rc1, 4.1.14.rc2, 4.1.15, 4.1.15.rc1, 4.1.16, 4.1.16.rc1, 4.1.2, 4.1.2.rc1, 4.1.2.rc2, 4.1.2.rc3, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.6.rc1, 4.1.6.rc2, 4.1.7, 4.1.7.1, 4.1.8, 4.1.9, 4.1.9.rc1, 4.2.0, 4.2.0.beta1, 4.2.0.beta2, 4.2.0.beta3, 4.2.0.beta4, 4.2.0.rc1, 4.2.0.rc2, 4.2.0.rc3, 4.2.1, 4.2.1.rc1, 4.2.1.rc2, 4.2.1.rc3, 4.2.1.rc4, 4.2.10, 4.2.10.rc1, 4.2.11, 4.2.11.1, 4.2.11.2, 4.2.11.3, 4.2.2, 4.2.3, 4.2.3.rc1, 4.2.4, 4.2.4.rc1, 4.2.5, 4.2.5.1, 4.2.5.2, 4.2.5.rc1, 4.2.5.rc2, 4.2.6, 4.2.6.rc1, 4.2.7, 4.2.7.1, 4.2.7.rc1, 4.2.8, 4.2.8.rc1, 4.2.9, 4.2.9.rc1, 4.2.9.rc2, 5.0.0, 5.0.0.1, 5.0.0.beta1, 5.0.0.beta1.1, 5.0.0.beta2, 5.0.0.beta3, 5.0.0.beta4, 5.0.0.racecar1, 5.0.0.rc1, 5.0.0.rc2, 5.0.1, 5.0.1.rc1, 5.0.1.rc2, 5.0.2, 5.0.2.rc1, 5.0.3, 5.0.4, 5.0.4.rc1, 5.0.5, 5.0.5.rc1, 5.0.5.rc2, 5.0.6, 5.0.6.rc1, 5.0.7, 5.0.7.1, 5.0.7.2, 5.1.0, 5.1.0.beta1, 5.1.0.rc1, 5.1.0.rc2, 5.1.1, 5.1.2, 5.1.2.rc1, 5.1.3, 5.1.3.rc1, 5.1.3.rc2, 5.1.3.rc3, 5.1.4, 5.1.4.rc1, 5.1.5, 5.1.5.rc1, 5.1.6, 5.1.6.1, 5.1.6.2, 5.1.7, 5.1.7.rc1, 5.2.0.beta1, 5.2.0.beta2, 5.2.0.rc1, 5.2.0.rc2, 6.1.7.10, 6.1.7.7, 6.1.7.8, 6.1.7.9, 7.0.0.alpha1, 7.0.0.alpha2, 7.0.0.rc1, 7.0.0.rc2, 7.0.0.rc3, 7.0.8.1, 7.0.8.2, 7.0.8.3, 7.0.8.4, 7.0.8.5, 7.0.8.6, 7.0.8.7, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.3.1, 7.1.3.2, 7.1.3.3, 7.1.3.4, 7.1.4, 7.1.4.1, 7.1.4.2, 7.1.5, 7.1.5.1, 7.2.0, 7.2.0.beta1, 7.2.0.beta2, 7.2.0.beta3, 7.2.0.rc1, 7.2.1, 7.2.1.1, 7.2.1.2, 7.2.2, 7.2.2.1, 8.0.0, 8.0.0.1, 8.0.0.beta1, 8.0.0.rc1, 8.0.0.rc2, 8.0.1, 8.0.2]
Recommendation:
Update to version 8.0.2.
High severity vulnerability that affects rails.
Published date: 2017-10-24
Framework: rails
CVE: 2006-4112
CVSS V2: 7.5
Unspecified vulnerability in the dependency resolution mechanism
in
Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby
code via a URL that is not properly handled in the routing code, which leads to
a denial of service (application hang) or data loss,
a different vulnerability
than CVE-2006-4111.
Affected versions:
["1.1.5", "1.1.3", "1.1.4", "1.1.2", "1.1.1", "1.1.0"]
Secure versions:
[3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.2.22, 3.2.22.1, 3.2.22.2, 3.2.22.3, 3.2.22.4, 3.2.22.5, 4.0.0.beta1, 4.0.0.rc1, 4.0.0.rc2, 4.0.10, 4.0.10.rc1, 4.0.10.rc2, 4.0.11, 4.0.11.1, 4.0.12, 4.0.13, 4.0.13.rc1, 4.0.3, 4.0.4, 4.0.4.rc1, 4.0.5, 4.0.6, 4.0.6.rc1, 4.0.6.rc2, 4.0.6.rc3, 4.0.7, 4.0.8, 4.0.9, 4.1.0, 4.1.0.beta1, 4.1.0.beta2, 4.1.0.rc1, 4.1.0.rc2, 4.1.1, 4.1.10, 4.1.10.rc1, 4.1.10.rc2, 4.1.10.rc3, 4.1.10.rc4, 4.1.11, 4.1.12, 4.1.12.rc1, 4.1.13, 4.1.13.rc1, 4.1.14, 4.1.14.1, 4.1.14.2, 4.1.14.rc1, 4.1.14.rc2, 4.1.15, 4.1.15.rc1, 4.1.16, 4.1.16.rc1, 4.1.2, 4.1.2.rc1, 4.1.2.rc2, 4.1.2.rc3, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.6.rc1, 4.1.6.rc2, 4.1.7, 4.1.7.1, 4.1.8, 4.1.9, 4.1.9.rc1, 4.2.0, 4.2.0.beta1, 4.2.0.beta2, 4.2.0.beta3, 4.2.0.beta4, 4.2.0.rc1, 4.2.0.rc2, 4.2.0.rc3, 4.2.1, 4.2.1.rc1, 4.2.1.rc2, 4.2.1.rc3, 4.2.1.rc4, 4.2.10, 4.2.10.rc1, 4.2.11, 4.2.11.1, 4.2.11.2, 4.2.11.3, 4.2.2, 4.2.3, 4.2.3.rc1, 4.2.4, 4.2.4.rc1, 4.2.5, 4.2.5.1, 4.2.5.2, 4.2.5.rc1, 4.2.5.rc2, 4.2.6, 4.2.6.rc1, 4.2.7, 4.2.7.1, 4.2.7.rc1, 4.2.8, 4.2.8.rc1, 4.2.9, 4.2.9.rc1, 4.2.9.rc2, 5.0.0, 5.0.0.1, 5.0.0.beta1, 5.0.0.beta1.1, 5.0.0.beta2, 5.0.0.beta3, 5.0.0.beta4, 5.0.0.racecar1, 5.0.0.rc1, 5.0.0.rc2, 5.0.1, 5.0.1.rc1, 5.0.1.rc2, 5.0.2, 5.0.2.rc1, 5.0.3, 5.0.4, 5.0.4.rc1, 5.0.5, 5.0.5.rc1, 5.0.5.rc2, 5.0.6, 5.0.6.rc1, 5.0.7, 5.0.7.1, 5.0.7.2, 5.1.0, 5.1.0.beta1, 5.1.0.rc1, 5.1.0.rc2, 5.1.1, 5.1.2, 5.1.2.rc1, 5.1.3, 5.1.3.rc1, 5.1.3.rc2, 5.1.3.rc3, 5.1.4, 5.1.4.rc1, 5.1.5, 5.1.5.rc1, 5.1.6, 5.1.6.1, 5.1.6.2, 5.1.7, 5.1.7.rc1, 5.2.0.beta1, 5.2.0.beta2, 5.2.0.rc1, 5.2.0.rc2, 6.1.7.10, 6.1.7.7, 6.1.7.8, 6.1.7.9, 7.0.0.alpha1, 7.0.0.alpha2, 7.0.0.rc1, 7.0.0.rc2, 7.0.0.rc3, 7.0.8.1, 7.0.8.2, 7.0.8.3, 7.0.8.4, 7.0.8.5, 7.0.8.6, 7.0.8.7, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.3.1, 7.1.3.2, 7.1.3.3, 7.1.3.4, 7.1.4, 7.1.4.1, 7.1.4.2, 7.1.5, 7.1.5.1, 7.2.0, 7.2.0.beta1, 7.2.0.beta2, 7.2.0.beta3, 7.2.0.rc1, 7.2.1, 7.2.1.1, 7.2.1.2, 7.2.2, 7.2.2.1, 8.0.0, 8.0.0.1, 8.0.0.beta1, 8.0.0.rc1, 8.0.0.rc2, 8.0.1, 8.0.2]
Recommendation:
Update to version 8.0.2.
Moderate severity vulnerability that affects rails
Published date: 2017-10-24
Framework: rails
CVE: 2007-3227
CVSS V2: 4.3
Cross-site scripting (XSS) vulnerability in the tojson (ActiveRecord::Base#tojson) function in Ruby on Rails before edge 9606 allows remote attackers to inject arbitrary web script via the input values.
Affected versions:
["1.2.2", "1.1.6", "1.1.5", "1.1.3", "0.14.4", "0.14.2", "0.11.1", "0.11.0", "0.10.0", "0.9.4.1", "0.9.4", "0.9.2", "0.9.0", "1.2.4", "1.2.3", "1.2.1", "1.2.0", "1.1.4", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.14.3", "0.14.1", "0.13.1", "0.13.0", "0.12.1", "0.12.0", "0.10.1", "0.9.5", "0.9.3", "0.9.1", "0.8.5", "0.8.0"]
Secure versions:
[3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.2.22, 3.2.22.1, 3.2.22.2, 3.2.22.3, 3.2.22.4, 3.2.22.5, 4.0.0.beta1, 4.0.0.rc1, 4.0.0.rc2, 4.0.10, 4.0.10.rc1, 4.0.10.rc2, 4.0.11, 4.0.11.1, 4.0.12, 4.0.13, 4.0.13.rc1, 4.0.3, 4.0.4, 4.0.4.rc1, 4.0.5, 4.0.6, 4.0.6.rc1, 4.0.6.rc2, 4.0.6.rc3, 4.0.7, 4.0.8, 4.0.9, 4.1.0, 4.1.0.beta1, 4.1.0.beta2, 4.1.0.rc1, 4.1.0.rc2, 4.1.1, 4.1.10, 4.1.10.rc1, 4.1.10.rc2, 4.1.10.rc3, 4.1.10.rc4, 4.1.11, 4.1.12, 4.1.12.rc1, 4.1.13, 4.1.13.rc1, 4.1.14, 4.1.14.1, 4.1.14.2, 4.1.14.rc1, 4.1.14.rc2, 4.1.15, 4.1.15.rc1, 4.1.16, 4.1.16.rc1, 4.1.2, 4.1.2.rc1, 4.1.2.rc2, 4.1.2.rc3, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.6.rc1, 4.1.6.rc2, 4.1.7, 4.1.7.1, 4.1.8, 4.1.9, 4.1.9.rc1, 4.2.0, 4.2.0.beta1, 4.2.0.beta2, 4.2.0.beta3, 4.2.0.beta4, 4.2.0.rc1, 4.2.0.rc2, 4.2.0.rc3, 4.2.1, 4.2.1.rc1, 4.2.1.rc2, 4.2.1.rc3, 4.2.1.rc4, 4.2.10, 4.2.10.rc1, 4.2.11, 4.2.11.1, 4.2.11.2, 4.2.11.3, 4.2.2, 4.2.3, 4.2.3.rc1, 4.2.4, 4.2.4.rc1, 4.2.5, 4.2.5.1, 4.2.5.2, 4.2.5.rc1, 4.2.5.rc2, 4.2.6, 4.2.6.rc1, 4.2.7, 4.2.7.1, 4.2.7.rc1, 4.2.8, 4.2.8.rc1, 4.2.9, 4.2.9.rc1, 4.2.9.rc2, 5.0.0, 5.0.0.1, 5.0.0.beta1, 5.0.0.beta1.1, 5.0.0.beta2, 5.0.0.beta3, 5.0.0.beta4, 5.0.0.racecar1, 5.0.0.rc1, 5.0.0.rc2, 5.0.1, 5.0.1.rc1, 5.0.1.rc2, 5.0.2, 5.0.2.rc1, 5.0.3, 5.0.4, 5.0.4.rc1, 5.0.5, 5.0.5.rc1, 5.0.5.rc2, 5.0.6, 5.0.6.rc1, 5.0.7, 5.0.7.1, 5.0.7.2, 5.1.0, 5.1.0.beta1, 5.1.0.rc1, 5.1.0.rc2, 5.1.1, 5.1.2, 5.1.2.rc1, 5.1.3, 5.1.3.rc1, 5.1.3.rc2, 5.1.3.rc3, 5.1.4, 5.1.4.rc1, 5.1.5, 5.1.5.rc1, 5.1.6, 5.1.6.1, 5.1.6.2, 5.1.7, 5.1.7.rc1, 5.2.0.beta1, 5.2.0.beta2, 5.2.0.rc1, 5.2.0.rc2, 6.1.7.10, 6.1.7.7, 6.1.7.8, 6.1.7.9, 7.0.0.alpha1, 7.0.0.alpha2, 7.0.0.rc1, 7.0.0.rc2, 7.0.0.rc3, 7.0.8.1, 7.0.8.2, 7.0.8.3, 7.0.8.4, 7.0.8.5, 7.0.8.6, 7.0.8.7, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.3.1, 7.1.3.2, 7.1.3.3, 7.1.3.4, 7.1.4, 7.1.4.1, 7.1.4.2, 7.1.5, 7.1.5.1, 7.2.0, 7.2.0.beta1, 7.2.0.beta2, 7.2.0.beta3, 7.2.0.rc1, 7.2.1, 7.2.1.1, 7.2.1.2, 7.2.2, 7.2.2.1, 8.0.0, 8.0.0.1, 8.0.0.beta1, 8.0.0.rc1, 8.0.0.rc2, 8.0.1, 8.0.2]
Recommendation:
Update to version 8.0.2.
Moderate severity vulnerability that affects rails
Published date: 2017-10-24
Framework: rails
CVE: 2007-5379
CVSS V2: 5.0
Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.fromxml (Hash#fromxml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file.
Affected versions:
["1.2.2", "1.1.6", "1.1.5", "1.1.3", "0.14.4", "0.14.2", "0.11.1", "0.11.0", "0.10.0", "0.9.4.1", "0.9.4", "0.9.2", "0.9.0", "1.2.4", "1.2.3", "1.2.1", "1.2.0", "1.1.4", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.14.3", "0.14.1", "0.13.1", "0.13.0", "0.12.1", "0.12.0", "0.10.1", "0.9.5", "0.9.3", "0.9.1", "0.8.5", "0.8.0"]
Secure versions:
[3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.2.22, 3.2.22.1, 3.2.22.2, 3.2.22.3, 3.2.22.4, 3.2.22.5, 4.0.0.beta1, 4.0.0.rc1, 4.0.0.rc2, 4.0.10, 4.0.10.rc1, 4.0.10.rc2, 4.0.11, 4.0.11.1, 4.0.12, 4.0.13, 4.0.13.rc1, 4.0.3, 4.0.4, 4.0.4.rc1, 4.0.5, 4.0.6, 4.0.6.rc1, 4.0.6.rc2, 4.0.6.rc3, 4.0.7, 4.0.8, 4.0.9, 4.1.0, 4.1.0.beta1, 4.1.0.beta2, 4.1.0.rc1, 4.1.0.rc2, 4.1.1, 4.1.10, 4.1.10.rc1, 4.1.10.rc2, 4.1.10.rc3, 4.1.10.rc4, 4.1.11, 4.1.12, 4.1.12.rc1, 4.1.13, 4.1.13.rc1, 4.1.14, 4.1.14.1, 4.1.14.2, 4.1.14.rc1, 4.1.14.rc2, 4.1.15, 4.1.15.rc1, 4.1.16, 4.1.16.rc1, 4.1.2, 4.1.2.rc1, 4.1.2.rc2, 4.1.2.rc3, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.6.rc1, 4.1.6.rc2, 4.1.7, 4.1.7.1, 4.1.8, 4.1.9, 4.1.9.rc1, 4.2.0, 4.2.0.beta1, 4.2.0.beta2, 4.2.0.beta3, 4.2.0.beta4, 4.2.0.rc1, 4.2.0.rc2, 4.2.0.rc3, 4.2.1, 4.2.1.rc1, 4.2.1.rc2, 4.2.1.rc3, 4.2.1.rc4, 4.2.10, 4.2.10.rc1, 4.2.11, 4.2.11.1, 4.2.11.2, 4.2.11.3, 4.2.2, 4.2.3, 4.2.3.rc1, 4.2.4, 4.2.4.rc1, 4.2.5, 4.2.5.1, 4.2.5.2, 4.2.5.rc1, 4.2.5.rc2, 4.2.6, 4.2.6.rc1, 4.2.7, 4.2.7.1, 4.2.7.rc1, 4.2.8, 4.2.8.rc1, 4.2.9, 4.2.9.rc1, 4.2.9.rc2, 5.0.0, 5.0.0.1, 5.0.0.beta1, 5.0.0.beta1.1, 5.0.0.beta2, 5.0.0.beta3, 5.0.0.beta4, 5.0.0.racecar1, 5.0.0.rc1, 5.0.0.rc2, 5.0.1, 5.0.1.rc1, 5.0.1.rc2, 5.0.2, 5.0.2.rc1, 5.0.3, 5.0.4, 5.0.4.rc1, 5.0.5, 5.0.5.rc1, 5.0.5.rc2, 5.0.6, 5.0.6.rc1, 5.0.7, 5.0.7.1, 5.0.7.2, 5.1.0, 5.1.0.beta1, 5.1.0.rc1, 5.1.0.rc2, 5.1.1, 5.1.2, 5.1.2.rc1, 5.1.3, 5.1.3.rc1, 5.1.3.rc2, 5.1.3.rc3, 5.1.4, 5.1.4.rc1, 5.1.5, 5.1.5.rc1, 5.1.6, 5.1.6.1, 5.1.6.2, 5.1.7, 5.1.7.rc1, 5.2.0.beta1, 5.2.0.beta2, 5.2.0.rc1, 5.2.0.rc2, 6.1.7.10, 6.1.7.7, 6.1.7.8, 6.1.7.9, 7.0.0.alpha1, 7.0.0.alpha2, 7.0.0.rc1, 7.0.0.rc2, 7.0.0.rc3, 7.0.8.1, 7.0.8.2, 7.0.8.3, 7.0.8.4, 7.0.8.5, 7.0.8.6, 7.0.8.7, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.3.1, 7.1.3.2, 7.1.3.3, 7.1.3.4, 7.1.4, 7.1.4.1, 7.1.4.2, 7.1.5, 7.1.5.1, 7.2.0, 7.2.0.beta1, 7.2.0.beta2, 7.2.0.beta3, 7.2.0.rc1, 7.2.1, 7.2.1.1, 7.2.1.2, 7.2.2, 7.2.2.1, 8.0.0, 8.0.0.1, 8.0.0.beta1, 8.0.0.rc1, 8.0.0.rc2, 8.0.1, 8.0.2]
Recommendation:
Update to version 8.0.2.
Moderate severity vulnerability that affects rails
Published date: 2017-10-24
Framework: rails
CVE: 2007-5380
CVSS V2: 6.8
Session fixation vulnerability in Rails before 1.2.4, as used for Ruby
on Rails, allows remote attackers to hijack web sessions via unspecified vectors
related to URL-based sessions.
Affected versions:
["1.2.2", "1.1.6", "1.1.5", "1.1.3", "0.14.4", "0.14.2", "0.11.1", "0.11.0", "0.10.0", "0.9.4.1", "0.9.4", "0.9.2", "0.9.0", "1.2.3", "1.2.1", "1.2.0", "1.1.4", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.14.3", "0.14.1", "0.13.1", "0.13.0", "0.12.1", "0.12.0", "0.10.1", "0.9.5", "0.9.3", "0.9.1", "0.8.5", "0.8.0"]
Secure versions:
[3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.2.22, 3.2.22.1, 3.2.22.2, 3.2.22.3, 3.2.22.4, 3.2.22.5, 4.0.0.beta1, 4.0.0.rc1, 4.0.0.rc2, 4.0.10, 4.0.10.rc1, 4.0.10.rc2, 4.0.11, 4.0.11.1, 4.0.12, 4.0.13, 4.0.13.rc1, 4.0.3, 4.0.4, 4.0.4.rc1, 4.0.5, 4.0.6, 4.0.6.rc1, 4.0.6.rc2, 4.0.6.rc3, 4.0.7, 4.0.8, 4.0.9, 4.1.0, 4.1.0.beta1, 4.1.0.beta2, 4.1.0.rc1, 4.1.0.rc2, 4.1.1, 4.1.10, 4.1.10.rc1, 4.1.10.rc2, 4.1.10.rc3, 4.1.10.rc4, 4.1.11, 4.1.12, 4.1.12.rc1, 4.1.13, 4.1.13.rc1, 4.1.14, 4.1.14.1, 4.1.14.2, 4.1.14.rc1, 4.1.14.rc2, 4.1.15, 4.1.15.rc1, 4.1.16, 4.1.16.rc1, 4.1.2, 4.1.2.rc1, 4.1.2.rc2, 4.1.2.rc3, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.6.rc1, 4.1.6.rc2, 4.1.7, 4.1.7.1, 4.1.8, 4.1.9, 4.1.9.rc1, 4.2.0, 4.2.0.beta1, 4.2.0.beta2, 4.2.0.beta3, 4.2.0.beta4, 4.2.0.rc1, 4.2.0.rc2, 4.2.0.rc3, 4.2.1, 4.2.1.rc1, 4.2.1.rc2, 4.2.1.rc3, 4.2.1.rc4, 4.2.10, 4.2.10.rc1, 4.2.11, 4.2.11.1, 4.2.11.2, 4.2.11.3, 4.2.2, 4.2.3, 4.2.3.rc1, 4.2.4, 4.2.4.rc1, 4.2.5, 4.2.5.1, 4.2.5.2, 4.2.5.rc1, 4.2.5.rc2, 4.2.6, 4.2.6.rc1, 4.2.7, 4.2.7.1, 4.2.7.rc1, 4.2.8, 4.2.8.rc1, 4.2.9, 4.2.9.rc1, 4.2.9.rc2, 5.0.0, 5.0.0.1, 5.0.0.beta1, 5.0.0.beta1.1, 5.0.0.beta2, 5.0.0.beta3, 5.0.0.beta4, 5.0.0.racecar1, 5.0.0.rc1, 5.0.0.rc2, 5.0.1, 5.0.1.rc1, 5.0.1.rc2, 5.0.2, 5.0.2.rc1, 5.0.3, 5.0.4, 5.0.4.rc1, 5.0.5, 5.0.5.rc1, 5.0.5.rc2, 5.0.6, 5.0.6.rc1, 5.0.7, 5.0.7.1, 5.0.7.2, 5.1.0, 5.1.0.beta1, 5.1.0.rc1, 5.1.0.rc2, 5.1.1, 5.1.2, 5.1.2.rc1, 5.1.3, 5.1.3.rc1, 5.1.3.rc2, 5.1.3.rc3, 5.1.4, 5.1.4.rc1, 5.1.5, 5.1.5.rc1, 5.1.6, 5.1.6.1, 5.1.6.2, 5.1.7, 5.1.7.rc1, 5.2.0.beta1, 5.2.0.beta2, 5.2.0.rc1, 5.2.0.rc2, 6.1.7.10, 6.1.7.7, 6.1.7.8, 6.1.7.9, 7.0.0.alpha1, 7.0.0.alpha2, 7.0.0.rc1, 7.0.0.rc2, 7.0.0.rc3, 7.0.8.1, 7.0.8.2, 7.0.8.3, 7.0.8.4, 7.0.8.5, 7.0.8.6, 7.0.8.7, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.3.1, 7.1.3.2, 7.1.3.3, 7.1.3.4, 7.1.4, 7.1.4.1, 7.1.4.2, 7.1.5, 7.1.5.1, 7.2.0, 7.2.0.beta1, 7.2.0.beta2, 7.2.0.beta3, 7.2.0.rc1, 7.2.1, 7.2.1.1, 7.2.1.2, 7.2.2, 7.2.2.1, 8.0.0, 8.0.0.1, 8.0.0.beta1, 8.0.0.rc1, 8.0.0.rc2, 8.0.1, 8.0.2]
Recommendation:
Update to version 8.0.2.
Moderate severity vulnerability that affects rails
Published date: 2017-10-24
Framework: rails
CVE: 2007-6077
CVSS V2: 6.8
The session fixation protection mechanism in cgiprocess.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookieonly attribute from the DEFAULTSESSIONOPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks.
NOTE: this is due to an incomplete fix for CVE-2007-5380.
Affected versions:
["1.2.5", "1.2.2", "1.1.6", "1.1.5", "1.1.3", "0.14.4", "0.14.2", "0.11.1", "0.11.0", "0.10.0", "0.9.4.1", "0.9.4", "0.9.2", "0.9.0", "1.2.4", "1.2.3", "1.2.1", "1.2.0", "1.1.4", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.14.3", "0.14.1", "0.13.1", "0.13.0", "0.12.1", "0.12.0", "0.10.1", "0.9.5", "0.9.3", "0.9.1", "0.8.5", "0.8.0"]
Secure versions:
[3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.2.22, 3.2.22.1, 3.2.22.2, 3.2.22.3, 3.2.22.4, 3.2.22.5, 4.0.0.beta1, 4.0.0.rc1, 4.0.0.rc2, 4.0.10, 4.0.10.rc1, 4.0.10.rc2, 4.0.11, 4.0.11.1, 4.0.12, 4.0.13, 4.0.13.rc1, 4.0.3, 4.0.4, 4.0.4.rc1, 4.0.5, 4.0.6, 4.0.6.rc1, 4.0.6.rc2, 4.0.6.rc3, 4.0.7, 4.0.8, 4.0.9, 4.1.0, 4.1.0.beta1, 4.1.0.beta2, 4.1.0.rc1, 4.1.0.rc2, 4.1.1, 4.1.10, 4.1.10.rc1, 4.1.10.rc2, 4.1.10.rc3, 4.1.10.rc4, 4.1.11, 4.1.12, 4.1.12.rc1, 4.1.13, 4.1.13.rc1, 4.1.14, 4.1.14.1, 4.1.14.2, 4.1.14.rc1, 4.1.14.rc2, 4.1.15, 4.1.15.rc1, 4.1.16, 4.1.16.rc1, 4.1.2, 4.1.2.rc1, 4.1.2.rc2, 4.1.2.rc3, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.6.rc1, 4.1.6.rc2, 4.1.7, 4.1.7.1, 4.1.8, 4.1.9, 4.1.9.rc1, 4.2.0, 4.2.0.beta1, 4.2.0.beta2, 4.2.0.beta3, 4.2.0.beta4, 4.2.0.rc1, 4.2.0.rc2, 4.2.0.rc3, 4.2.1, 4.2.1.rc1, 4.2.1.rc2, 4.2.1.rc3, 4.2.1.rc4, 4.2.10, 4.2.10.rc1, 4.2.11, 4.2.11.1, 4.2.11.2, 4.2.11.3, 4.2.2, 4.2.3, 4.2.3.rc1, 4.2.4, 4.2.4.rc1, 4.2.5, 4.2.5.1, 4.2.5.2, 4.2.5.rc1, 4.2.5.rc2, 4.2.6, 4.2.6.rc1, 4.2.7, 4.2.7.1, 4.2.7.rc1, 4.2.8, 4.2.8.rc1, 4.2.9, 4.2.9.rc1, 4.2.9.rc2, 5.0.0, 5.0.0.1, 5.0.0.beta1, 5.0.0.beta1.1, 5.0.0.beta2, 5.0.0.beta3, 5.0.0.beta4, 5.0.0.racecar1, 5.0.0.rc1, 5.0.0.rc2, 5.0.1, 5.0.1.rc1, 5.0.1.rc2, 5.0.2, 5.0.2.rc1, 5.0.3, 5.0.4, 5.0.4.rc1, 5.0.5, 5.0.5.rc1, 5.0.5.rc2, 5.0.6, 5.0.6.rc1, 5.0.7, 5.0.7.1, 5.0.7.2, 5.1.0, 5.1.0.beta1, 5.1.0.rc1, 5.1.0.rc2, 5.1.1, 5.1.2, 5.1.2.rc1, 5.1.3, 5.1.3.rc1, 5.1.3.rc2, 5.1.3.rc3, 5.1.4, 5.1.4.rc1, 5.1.5, 5.1.5.rc1, 5.1.6, 5.1.6.1, 5.1.6.2, 5.1.7, 5.1.7.rc1, 5.2.0.beta1, 5.2.0.beta2, 5.2.0.rc1, 5.2.0.rc2, 6.1.7.10, 6.1.7.7, 6.1.7.8, 6.1.7.9, 7.0.0.alpha1, 7.0.0.alpha2, 7.0.0.rc1, 7.0.0.rc2, 7.0.0.rc3, 7.0.8.1, 7.0.8.2, 7.0.8.3, 7.0.8.4, 7.0.8.5, 7.0.8.6, 7.0.8.7, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.3.1, 7.1.3.2, 7.1.3.3, 7.1.3.4, 7.1.4, 7.1.4.1, 7.1.4.2, 7.1.5, 7.1.5.1, 7.2.0, 7.2.0.beta1, 7.2.0.beta2, 7.2.0.beta3, 7.2.0.rc1, 7.2.1, 7.2.1.1, 7.2.1.2, 7.2.2, 7.2.2.1, 8.0.0, 8.0.0.1, 8.0.0.beta1, 8.0.0.rc1, 8.0.0.rc2, 8.0.1, 8.0.2]
Recommendation:
Update to version 8.0.2.
Moderate severity vulnerability that affects rails
Published date: 2017-10-24
Framework: rails
CVE: 2008-5189
CVSS V2: 5.0
CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function.
Affected versions:
["2.0.1", "2.0.0", "1.2.5", "1.2.2", "1.1.6", "1.1.5", "1.1.3", "0.14.4", "0.14.2", "0.11.1", "0.11.0", "0.10.0", "0.9.4.1", "0.9.4", "0.9.2", "0.9.0", "2.0.4", "2.0.2", "1.2.6", "1.2.4", "1.2.3", "1.2.1", "1.2.0", "1.1.4", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.14.3", "0.14.1", "0.13.1", "0.13.0", "0.12.1", "0.12.0", "0.10.1", "0.9.5", "0.9.3", "0.9.1", "0.8.5", "0.8.0"]
Secure versions:
[3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.2.22, 3.2.22.1, 3.2.22.2, 3.2.22.3, 3.2.22.4, 3.2.22.5, 4.0.0.beta1, 4.0.0.rc1, 4.0.0.rc2, 4.0.10, 4.0.10.rc1, 4.0.10.rc2, 4.0.11, 4.0.11.1, 4.0.12, 4.0.13, 4.0.13.rc1, 4.0.3, 4.0.4, 4.0.4.rc1, 4.0.5, 4.0.6, 4.0.6.rc1, 4.0.6.rc2, 4.0.6.rc3, 4.0.7, 4.0.8, 4.0.9, 4.1.0, 4.1.0.beta1, 4.1.0.beta2, 4.1.0.rc1, 4.1.0.rc2, 4.1.1, 4.1.10, 4.1.10.rc1, 4.1.10.rc2, 4.1.10.rc3, 4.1.10.rc4, 4.1.11, 4.1.12, 4.1.12.rc1, 4.1.13, 4.1.13.rc1, 4.1.14, 4.1.14.1, 4.1.14.2, 4.1.14.rc1, 4.1.14.rc2, 4.1.15, 4.1.15.rc1, 4.1.16, 4.1.16.rc1, 4.1.2, 4.1.2.rc1, 4.1.2.rc2, 4.1.2.rc3, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.6.rc1, 4.1.6.rc2, 4.1.7, 4.1.7.1, 4.1.8, 4.1.9, 4.1.9.rc1, 4.2.0, 4.2.0.beta1, 4.2.0.beta2, 4.2.0.beta3, 4.2.0.beta4, 4.2.0.rc1, 4.2.0.rc2, 4.2.0.rc3, 4.2.1, 4.2.1.rc1, 4.2.1.rc2, 4.2.1.rc3, 4.2.1.rc4, 4.2.10, 4.2.10.rc1, 4.2.11, 4.2.11.1, 4.2.11.2, 4.2.11.3, 4.2.2, 4.2.3, 4.2.3.rc1, 4.2.4, 4.2.4.rc1, 4.2.5, 4.2.5.1, 4.2.5.2, 4.2.5.rc1, 4.2.5.rc2, 4.2.6, 4.2.6.rc1, 4.2.7, 4.2.7.1, 4.2.7.rc1, 4.2.8, 4.2.8.rc1, 4.2.9, 4.2.9.rc1, 4.2.9.rc2, 5.0.0, 5.0.0.1, 5.0.0.beta1, 5.0.0.beta1.1, 5.0.0.beta2, 5.0.0.beta3, 5.0.0.beta4, 5.0.0.racecar1, 5.0.0.rc1, 5.0.0.rc2, 5.0.1, 5.0.1.rc1, 5.0.1.rc2, 5.0.2, 5.0.2.rc1, 5.0.3, 5.0.4, 5.0.4.rc1, 5.0.5, 5.0.5.rc1, 5.0.5.rc2, 5.0.6, 5.0.6.rc1, 5.0.7, 5.0.7.1, 5.0.7.2, 5.1.0, 5.1.0.beta1, 5.1.0.rc1, 5.1.0.rc2, 5.1.1, 5.1.2, 5.1.2.rc1, 5.1.3, 5.1.3.rc1, 5.1.3.rc2, 5.1.3.rc3, 5.1.4, 5.1.4.rc1, 5.1.5, 5.1.5.rc1, 5.1.6, 5.1.6.1, 5.1.6.2, 5.1.7, 5.1.7.rc1, 5.2.0.beta1, 5.2.0.beta2, 5.2.0.rc1, 5.2.0.rc2, 6.1.7.10, 6.1.7.7, 6.1.7.8, 6.1.7.9, 7.0.0.alpha1, 7.0.0.alpha2, 7.0.0.rc1, 7.0.0.rc2, 7.0.0.rc3, 7.0.8.1, 7.0.8.2, 7.0.8.3, 7.0.8.4, 7.0.8.5, 7.0.8.6, 7.0.8.7, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.3.1, 7.1.3.2, 7.1.3.3, 7.1.3.4, 7.1.4, 7.1.4.1, 7.1.4.2, 7.1.5, 7.1.5.1, 7.2.0, 7.2.0.beta1, 7.2.0.beta2, 7.2.0.beta3, 7.2.0.rc1, 7.2.1, 7.2.1.1, 7.2.1.2, 7.2.2, 7.2.2.1, 8.0.0, 8.0.0.1, 8.0.0.beta1, 8.0.0.rc1, 8.0.0.rc2, 8.0.1, 8.0.2]
Recommendation:
Update to version 8.0.2.
High Security Vulnerability with authenticate_with_http_digest of Rails
Published date: 2009-07-10
Framework: rails
CVE: 2009-2422
CVSS V2: 7.5
CVSS V3: 9.8
The example code for the digest authentication functionality (httpauthentication.rb) in Ruby on Rails before 2.3.3 defines an authenticateorrequestwithhttpdigest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password.
Affected versions:
["2.2.2", "2.1.2", "2.0.5", "2.0.1", "2.0.0", "1.2.5", "1.2.2", "1.1.6", "1.1.5", "1.1.3", "0.14.4", "0.14.2", "0.11.1", "0.11.0", "0.10.0", "0.9.4.1", "0.9.4", "0.9.2", "0.9.0", "2.3.2", "2.2.3", "2.1.1", "2.1.0", "2.0.4", "2.0.2", "1.2.6", "1.2.4", "1.2.3", "1.2.1", "1.2.0", "1.1.4", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.14.3", "0.14.1", "0.13.1", "0.13.0", "0.12.1", "0.12.0", "0.10.1", "0.9.5", "0.9.3", "0.9.1", "0.8.5", "0.8.0"]
Secure versions:
[3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.2.22, 3.2.22.1, 3.2.22.2, 3.2.22.3, 3.2.22.4, 3.2.22.5, 4.0.0.beta1, 4.0.0.rc1, 4.0.0.rc2, 4.0.10, 4.0.10.rc1, 4.0.10.rc2, 4.0.11, 4.0.11.1, 4.0.12, 4.0.13, 4.0.13.rc1, 4.0.3, 4.0.4, 4.0.4.rc1, 4.0.5, 4.0.6, 4.0.6.rc1, 4.0.6.rc2, 4.0.6.rc3, 4.0.7, 4.0.8, 4.0.9, 4.1.0, 4.1.0.beta1, 4.1.0.beta2, 4.1.0.rc1, 4.1.0.rc2, 4.1.1, 4.1.10, 4.1.10.rc1, 4.1.10.rc2, 4.1.10.rc3, 4.1.10.rc4, 4.1.11, 4.1.12, 4.1.12.rc1, 4.1.13, 4.1.13.rc1, 4.1.14, 4.1.14.1, 4.1.14.2, 4.1.14.rc1, 4.1.14.rc2, 4.1.15, 4.1.15.rc1, 4.1.16, 4.1.16.rc1, 4.1.2, 4.1.2.rc1, 4.1.2.rc2, 4.1.2.rc3, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.6.rc1, 4.1.6.rc2, 4.1.7, 4.1.7.1, 4.1.8, 4.1.9, 4.1.9.rc1, 4.2.0, 4.2.0.beta1, 4.2.0.beta2, 4.2.0.beta3, 4.2.0.beta4, 4.2.0.rc1, 4.2.0.rc2, 4.2.0.rc3, 4.2.1, 4.2.1.rc1, 4.2.1.rc2, 4.2.1.rc3, 4.2.1.rc4, 4.2.10, 4.2.10.rc1, 4.2.11, 4.2.11.1, 4.2.11.2, 4.2.11.3, 4.2.2, 4.2.3, 4.2.3.rc1, 4.2.4, 4.2.4.rc1, 4.2.5, 4.2.5.1, 4.2.5.2, 4.2.5.rc1, 4.2.5.rc2, 4.2.6, 4.2.6.rc1, 4.2.7, 4.2.7.1, 4.2.7.rc1, 4.2.8, 4.2.8.rc1, 4.2.9, 4.2.9.rc1, 4.2.9.rc2, 5.0.0, 5.0.0.1, 5.0.0.beta1, 5.0.0.beta1.1, 5.0.0.beta2, 5.0.0.beta3, 5.0.0.beta4, 5.0.0.racecar1, 5.0.0.rc1, 5.0.0.rc2, 5.0.1, 5.0.1.rc1, 5.0.1.rc2, 5.0.2, 5.0.2.rc1, 5.0.3, 5.0.4, 5.0.4.rc1, 5.0.5, 5.0.5.rc1, 5.0.5.rc2, 5.0.6, 5.0.6.rc1, 5.0.7, 5.0.7.1, 5.0.7.2, 5.1.0, 5.1.0.beta1, 5.1.0.rc1, 5.1.0.rc2, 5.1.1, 5.1.2, 5.1.2.rc1, 5.1.3, 5.1.3.rc1, 5.1.3.rc2, 5.1.3.rc3, 5.1.4, 5.1.4.rc1, 5.1.5, 5.1.5.rc1, 5.1.6, 5.1.6.1, 5.1.6.2, 5.1.7, 5.1.7.rc1, 5.2.0.beta1, 5.2.0.beta2, 5.2.0.rc1, 5.2.0.rc2, 6.1.7.10, 6.1.7.7, 6.1.7.8, 6.1.7.9, 7.0.0.alpha1, 7.0.0.alpha2, 7.0.0.rc1, 7.0.0.rc2, 7.0.0.rc3, 7.0.8.1, 7.0.8.2, 7.0.8.3, 7.0.8.4, 7.0.8.5, 7.0.8.6, 7.0.8.7, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.3.1, 7.1.3.2, 7.1.3.3, 7.1.3.4, 7.1.4, 7.1.4.1, 7.1.4.2, 7.1.5, 7.1.5.1, 7.2.0, 7.2.0.beta1, 7.2.0.beta2, 7.2.0.beta3, 7.2.0.rc1, 7.2.1, 7.2.1.1, 7.2.1.2, 7.2.2, 7.2.2.1, 8.0.0, 8.0.0.1, 8.0.0.beta1, 8.0.0.rc1, 8.0.0.rc2, 8.0.1, 8.0.2]
Recommendation:
Update to version 8.0.2.
Moderate severity XSS vulnerability that affects rails
Published date: 2017-10-24
Framework: rails
CVE: 2009-4214
CVSS V2: 4.3
Cross-site scripting (XSS) vulnerability in the striptags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters,related to HTML::Tokenizer and actionpack/lib/actioncontroller/vendor/html-scanner/html/node.rb.
Affected versions:
["2.3.3", "2.1.2", "2.0.5", "2.0.1", "2.0.0", "1.2.5", "1.2.2", "1.1.6", "1.1.5", "1.1.3", "0.14.4", "0.14.2", "0.11.1", "0.11.0", "0.10.0", "0.9.4.1", "0.9.4", "0.9.2", "0.9.0", "2.3.4", "2.3.2", "2.1.1", "2.1.0", "2.0.4", "2.0.2", "1.2.6", "1.2.4", "1.2.3", "1.2.1", "1.2.0", "1.1.4", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.14.3", "0.14.1", "0.13.1", "0.13.0", "0.12.1", "0.12.0", "0.10.1", "0.9.5", "0.9.3", "0.9.1", "0.8.5", "0.8.0"]
Secure versions:
[3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.2.22, 3.2.22.1, 3.2.22.2, 3.2.22.3, 3.2.22.4, 3.2.22.5, 4.0.0.beta1, 4.0.0.rc1, 4.0.0.rc2, 4.0.10, 4.0.10.rc1, 4.0.10.rc2, 4.0.11, 4.0.11.1, 4.0.12, 4.0.13, 4.0.13.rc1, 4.0.3, 4.0.4, 4.0.4.rc1, 4.0.5, 4.0.6, 4.0.6.rc1, 4.0.6.rc2, 4.0.6.rc3, 4.0.7, 4.0.8, 4.0.9, 4.1.0, 4.1.0.beta1, 4.1.0.beta2, 4.1.0.rc1, 4.1.0.rc2, 4.1.1, 4.1.10, 4.1.10.rc1, 4.1.10.rc2, 4.1.10.rc3, 4.1.10.rc4, 4.1.11, 4.1.12, 4.1.12.rc1, 4.1.13, 4.1.13.rc1, 4.1.14, 4.1.14.1, 4.1.14.2, 4.1.14.rc1, 4.1.14.rc2, 4.1.15, 4.1.15.rc1, 4.1.16, 4.1.16.rc1, 4.1.2, 4.1.2.rc1, 4.1.2.rc2, 4.1.2.rc3, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.6.rc1, 4.1.6.rc2, 4.1.7, 4.1.7.1, 4.1.8, 4.1.9, 4.1.9.rc1, 4.2.0, 4.2.0.beta1, 4.2.0.beta2, 4.2.0.beta3, 4.2.0.beta4, 4.2.0.rc1, 4.2.0.rc2, 4.2.0.rc3, 4.2.1, 4.2.1.rc1, 4.2.1.rc2, 4.2.1.rc3, 4.2.1.rc4, 4.2.10, 4.2.10.rc1, 4.2.11, 4.2.11.1, 4.2.11.2, 4.2.11.3, 4.2.2, 4.2.3, 4.2.3.rc1, 4.2.4, 4.2.4.rc1, 4.2.5, 4.2.5.1, 4.2.5.2, 4.2.5.rc1, 4.2.5.rc2, 4.2.6, 4.2.6.rc1, 4.2.7, 4.2.7.1, 4.2.7.rc1, 4.2.8, 4.2.8.rc1, 4.2.9, 4.2.9.rc1, 4.2.9.rc2, 5.0.0, 5.0.0.1, 5.0.0.beta1, 5.0.0.beta1.1, 5.0.0.beta2, 5.0.0.beta3, 5.0.0.beta4, 5.0.0.racecar1, 5.0.0.rc1, 5.0.0.rc2, 5.0.1, 5.0.1.rc1, 5.0.1.rc2, 5.0.2, 5.0.2.rc1, 5.0.3, 5.0.4, 5.0.4.rc1, 5.0.5, 5.0.5.rc1, 5.0.5.rc2, 5.0.6, 5.0.6.rc1, 5.0.7, 5.0.7.1, 5.0.7.2, 5.1.0, 5.1.0.beta1, 5.1.0.rc1, 5.1.0.rc2, 5.1.1, 5.1.2, 5.1.2.rc1, 5.1.3, 5.1.3.rc1, 5.1.3.rc2, 5.1.3.rc3, 5.1.4, 5.1.4.rc1, 5.1.5, 5.1.5.rc1, 5.1.6, 5.1.6.1, 5.1.6.2, 5.1.7, 5.1.7.rc1, 5.2.0.beta1, 5.2.0.beta2, 5.2.0.rc1, 5.2.0.rc2, 6.1.7.10, 6.1.7.7, 6.1.7.8, 6.1.7.9, 7.0.0.alpha1, 7.0.0.alpha2, 7.0.0.rc1, 7.0.0.rc2, 7.0.0.rc3, 7.0.8.1, 7.0.8.2, 7.0.8.3, 7.0.8.4, 7.0.8.5, 7.0.8.6, 7.0.8.7, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.3.1, 7.1.3.2, 7.1.3.3, 7.1.3.4, 7.1.4, 7.1.4.1, 7.1.4.2, 7.1.5, 7.1.5.1, 7.2.0, 7.2.0.beta1, 7.2.0.beta2, 7.2.0.beta3, 7.2.0.rc1, 7.2.1, 7.2.1.1, 7.2.1.2, 7.2.2, 7.2.2.1, 8.0.0, 8.0.0.1, 8.0.0.beta1, 8.0.0.rc1, 8.0.0.rc2, 8.0.1, 8.0.2]
Recommendation:
Update to version 8.0.2.
Rails vulnerable to Cross-site Scripting
Published date: 2017-10-24
CVE: 2014-0081
CVSS V2: 4.3
Multiple cross-site scripting (XSS) vulnerabilities in
actionview/lib/action_view/helpers/number_helper.rb
in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2
allow remote attackers to inject arbitrary web script or HTML via the
(1) format, (2) negativeformat, or (3) units parameter to the
(a) numbertocurrency, (b) numbertopercentage, or (c) numberto_human helper.
Affected versions:
["3.1.11", "3.1.10", "3.1.9", "3.1.8", "3.1.5.rc1", "3.1.2.rc1", "3.1.1", "3.1.1.rc3", "3.1.1.rc1", "3.1.0", "3.1.0.rc8", "3.1.0.rc6", "3.1.0.rc3", "3.1.0.rc1", "3.0.20", "3.0.19", "3.0.18", "3.0.17", "3.0.15", "3.0.14", "3.0.13", "3.0.12.rc1", "3.0.10", "3.0.10.rc1", "3.0.9", "3.0.9.rc4", "3.0.8.rc1", "3.0.7", "3.0.6.rc2", "3.0.5.rc1", "3.0.4", "3.0.4.rc1", "3.0.3", "3.0.2", "3.0.0", "3.0.0.beta4", "3.0.0.beta3", "3.0.0.beta", "2.3.17", "2.3.16", "2.3.14", "2.3.10", "2.3.9", "2.3.8", "2.3.8.pre1", "2.3.5", "2.3.3", "2.2.2", "2.1.2", "2.0.5", "2.0.1", "2.0.0", "1.2.5", "1.2.2", "1.1.6", "1.1.5", "1.1.3", "0.14.4", "0.14.2", "0.11.1", "0.11.0", "0.10.0", "0.9.4.1", "0.9.4", "0.9.2", "0.9.0", "3.1.12", "3.1.7", "3.1.6", "3.1.5", "3.1.4", "3.1.4.rc1", "3.1.3", "3.1.2", "3.1.2.rc2", "3.1.1.rc2", "3.1.0.rc5", "3.1.0.rc4", "3.1.0.rc2", "3.1.0.beta1", "3.0.16", "3.0.13.rc1", "3.0.12", "3.0.11", "3.0.9.rc5", "3.0.9.rc3", "3.0.9.rc1", "3.0.8", "3.0.8.rc4", "3.0.8.rc2", "3.0.7.rc2", "3.0.7.rc1", "3.0.6", "3.0.6.rc1", "3.0.5", "3.0.1", "3.0.0.rc2", "3.0.0.rc", "3.0.0.beta2", "2.3.18", "2.3.15", "2.3.12", "2.3.11", "2.3.9.pre", "2.3.7", "2.3.6", "2.3.4", "2.3.2", "2.2.3", "2.1.1", "2.1.0", "2.0.4", "2.0.2", "1.2.6", "1.2.4", "1.2.3", "1.2.1", "1.2.0", "1.1.4", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.14.3", "0.14.1", "0.13.1", "0.13.0", "0.12.1", "0.12.0", "0.10.1", "0.9.5", "0.9.3", "0.9.1", "0.8.5", "0.8.0"]
Secure versions:
[3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.2.22, 3.2.22.1, 3.2.22.2, 3.2.22.3, 3.2.22.4, 3.2.22.5, 4.0.0.beta1, 4.0.0.rc1, 4.0.0.rc2, 4.0.10, 4.0.10.rc1, 4.0.10.rc2, 4.0.11, 4.0.11.1, 4.0.12, 4.0.13, 4.0.13.rc1, 4.0.3, 4.0.4, 4.0.4.rc1, 4.0.5, 4.0.6, 4.0.6.rc1, 4.0.6.rc2, 4.0.6.rc3, 4.0.7, 4.0.8, 4.0.9, 4.1.0, 4.1.0.beta1, 4.1.0.beta2, 4.1.0.rc1, 4.1.0.rc2, 4.1.1, 4.1.10, 4.1.10.rc1, 4.1.10.rc2, 4.1.10.rc3, 4.1.10.rc4, 4.1.11, 4.1.12, 4.1.12.rc1, 4.1.13, 4.1.13.rc1, 4.1.14, 4.1.14.1, 4.1.14.2, 4.1.14.rc1, 4.1.14.rc2, 4.1.15, 4.1.15.rc1, 4.1.16, 4.1.16.rc1, 4.1.2, 4.1.2.rc1, 4.1.2.rc2, 4.1.2.rc3, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.6.rc1, 4.1.6.rc2, 4.1.7, 4.1.7.1, 4.1.8, 4.1.9, 4.1.9.rc1, 4.2.0, 4.2.0.beta1, 4.2.0.beta2, 4.2.0.beta3, 4.2.0.beta4, 4.2.0.rc1, 4.2.0.rc2, 4.2.0.rc3, 4.2.1, 4.2.1.rc1, 4.2.1.rc2, 4.2.1.rc3, 4.2.1.rc4, 4.2.10, 4.2.10.rc1, 4.2.11, 4.2.11.1, 4.2.11.2, 4.2.11.3, 4.2.2, 4.2.3, 4.2.3.rc1, 4.2.4, 4.2.4.rc1, 4.2.5, 4.2.5.1, 4.2.5.2, 4.2.5.rc1, 4.2.5.rc2, 4.2.6, 4.2.6.rc1, 4.2.7, 4.2.7.1, 4.2.7.rc1, 4.2.8, 4.2.8.rc1, 4.2.9, 4.2.9.rc1, 4.2.9.rc2, 5.0.0, 5.0.0.1, 5.0.0.beta1, 5.0.0.beta1.1, 5.0.0.beta2, 5.0.0.beta3, 5.0.0.beta4, 5.0.0.racecar1, 5.0.0.rc1, 5.0.0.rc2, 5.0.1, 5.0.1.rc1, 5.0.1.rc2, 5.0.2, 5.0.2.rc1, 5.0.3, 5.0.4, 5.0.4.rc1, 5.0.5, 5.0.5.rc1, 5.0.5.rc2, 5.0.6, 5.0.6.rc1, 5.0.7, 5.0.7.1, 5.0.7.2, 5.1.0, 5.1.0.beta1, 5.1.0.rc1, 5.1.0.rc2, 5.1.1, 5.1.2, 5.1.2.rc1, 5.1.3, 5.1.3.rc1, 5.1.3.rc2, 5.1.3.rc3, 5.1.4, 5.1.4.rc1, 5.1.5, 5.1.5.rc1, 5.1.6, 5.1.6.1, 5.1.6.2, 5.1.7, 5.1.7.rc1, 5.2.0.beta1, 5.2.0.beta2, 5.2.0.rc1, 5.2.0.rc2, 6.1.7.10, 6.1.7.7, 6.1.7.8, 6.1.7.9, 7.0.0.alpha1, 7.0.0.alpha2, 7.0.0.rc1, 7.0.0.rc2, 7.0.0.rc3, 7.0.8.1, 7.0.8.2, 7.0.8.3, 7.0.8.4, 7.0.8.5, 7.0.8.6, 7.0.8.7, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.3.1, 7.1.3.2, 7.1.3.3, 7.1.3.4, 7.1.4, 7.1.4.1, 7.1.4.2, 7.1.5, 7.1.5.1, 7.2.0, 7.2.0.beta1, 7.2.0.beta2, 7.2.0.beta3, 7.2.0.rc1, 7.2.1, 7.2.1.1, 7.2.1.2, 7.2.2, 7.2.2.1, 8.0.0, 8.0.0.1, 8.0.0.beta1, 8.0.0.rc1, 8.0.0.rc2, 8.0.1, 8.0.2]
Recommendation:
Update to version 8.0.2.
498 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 8.0.2 | MIT | 2025-03-12 - 03:09 | 2 months | |
| 8.0.1 | MIT | 2024-12-13 - 20:03 | 5 months | |
| 8.0.0.1 | MIT | 2024-12-10 - 21:46 | 5 months | |
| 8.0.0 | MIT | 2024-11-07 - 22:30 | 6 months | |
| 8.0.0.rc2 | MIT | 2024-10-30 - 00:32 | 7 months | |
| 8.0.0.rc1 | MIT | 2024-10-19 - 01:43 | 7 months | |
| 8.0.0.beta1 | MIT | 2024-09-26 - 15:05 | 8 months | |
| 7.2.2.1 | MIT | 2024-12-10 - 21:42 | 5 months | |
| 7.2.2 | MIT | 2024-10-31 - 01:47 | 7 months | |
| 7.2.1.2 | MIT | 2024-10-23 - 22:35 | 7 months | |
| 7.2.1.1 | MIT | 2024-10-15 - 20:46 | 7 months | |
| 7.2.1 | MIT | 2024-08-22 - 19:48 | 9 months | |
| 7.2.0 | MIT | 2024-08-09 - 23:47 | 9 months | |
| 7.2.0.rc1 | MIT | 2024-08-06 - 17:06 | 10 months | |
| 7.2.0.beta3 | MIT | 2024-07-11 - 15:44 | 10 months | |
| 7.2.0.beta2 | MIT | 2024-06-04 - 18:15 | 12 months | |
| 7.2.0.beta1 | MIT | 2024-05-29 - 23:40 | 12 months | |
| 7.1.5.1 | MIT | 2024-12-10 - 21:27 | 5 months | |
| 7.1.5 | MIT | 2024-10-31 - 01:35 | 7 months | |
| 7.1.4.2 | MIT | 2024-10-23 - 22:29 | 7 months | |
| 7.1.4.1 | MIT | 2024-10-15 - 20:40 | 7 months | |
| 7.1.4 | MIT | 2024-08-22 - 21:29 | 9 months | |
| 7.1.3.4 | MIT | 2024-06-04 - 18:00 | 12 months | |
| 7.1.3.3 | MIT | 2024-05-16 - 19:23 | about 1 year | |
| 7.1.3.2 | MIT | 2024-02-21 - 21:46 | about 1 year | |
| 7.1.3.1 | MIT | 2024-02-21 - 18:46 | about 1 year | |
| 7.1.3 | MIT | 2 | 2024-01-16 - 22:56 | over 1 year |
| 7.1.2 | MIT | 2 | 2023-11-10 - 21:52 | over 1 year |
| 7.1.1 | MIT | 2 | 2023-10-11 - 22:19 | over 1 year |
| 7.1.0 | MIT | 2 | 2023-10-05 - 08:09 | over 1 year |
| 7.1.0.rc2 | MIT | 2023-10-01 - 22:02 | over 1 year | |
| 7.1.0.rc1 | MIT | 2023-09-27 - 04:03 | over 1 year | |
| 7.1.0.beta1 | MIT | 2023-09-13 - 00:41 | over 1 year | |
| 7.0.8.7 | MIT | 2024-12-10 - 21:22 | 5 months | |
| 7.0.8.6 | MIT | 2024-10-23 - 22:23 | 7 months | |
| 7.0.8.5 | MIT | 2024-10-15 - 20:29 | 7 months | |
| 7.0.8.4 | MIT | 2024-06-04 - 17:57 | 12 months | |
| 7.0.8.3 | MIT | 2024-05-17 - 19:54 | about 1 year | |
| 7.0.8.2 | MIT | 2024-05-16 - 19:00 | about 1 year | |
| 7.0.8.1 | MIT | 2024-02-21 - 18:43 | about 1 year | |
| 7.0.8 | MIT | 2 | 2023-09-09 - 19:15 | over 1 year |
| 7.0.7.2 | MIT | 2 | 2023-08-22 - 20:10 | over 1 year |
| 7.0.7.1 | MIT | 2 | 2023-08-22 - 17:20 | over 1 year |
| 7.0.7 | MIT | 2 | 2023-08-09 - 23:58 | almost 2 years |
| 7.0.6 | MIT | 2 | 2023-06-29 - 20:57 | almost 2 years |
| 7.0.5.1 | MIT | 2 | 2023-06-26 - 21:43 | almost 2 years |
| 7.0.5 | MIT | 2 | 2023-05-24 - 19:21 | almost 2 years |
| 7.0.4.3 | MIT | 2 | 2023-03-13 - 18:53 | about 2 years |
| 7.0.4.2 | MIT | 2 | 2023-01-25 - 03:14 | over 2 years |
| 7.0.4.1 | MIT | 2 | 2023-01-17 - 18:55 | over 2 years |