CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-17919
https://notcve.org/view.php?id=CVE-2017-17919
SQL injection vulnerability in the 'order' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id desc' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input **EN DISPUTA** Vulnerabilidad de inyección SQL en el método "order" en Ruby on Rails 5.1.4 y anteriores permite que atacantes remotos ejecuten comandos SQL arbitrarios mediante el parámetro "id desc". NOTA: El fabricante rechaza este problema porque la documentación indica que este método no esta destinado a utilizarse con datos de entrada no fiables. • https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-17920
https://notcve.org/view.php?id=CVE-2017-17920
SQL injection vulnerability in the 'reorder' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input ** EN DISPUTA ** La vulnerabilidad de inyección SQL en el método 'reorder' de Ruby on Rails 5.1.4 y anteriores permite a los atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro 'name'. NOTA: El proveedor no está de acuerdo con este punto porque la documentación indica que este método no está diseñado para ser utilizado con datos no confiables. • https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.8EPSS: 1%CPEs: 51EXPL: 0CVE-2016-2097 – rubygem-actionpack: directory traversal in Action View, incomplete CVE-2016-0752 fix
https://notcve.org/view.php?id=CVE-2016-2097
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752. Vulnerabilidad de salto directorio en Action View en Ruby on Rails en versiones anteriores a 3.2.22.2 y 4.x en versiones anteriores a 4.1.14.2 permite a atacantes remotos leer archivos arbitrarios aprovechando el uso no restringido del método render de una aplicación y proporcionando un .. (punto punto) en un nombre de ruta. • http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released http://www.debian.org/security/2016/dsa-3509 http://www.securityfocus.com/bid/83726 http://www.securitytracker.com/id/1035122 https://groups.google.com/forum/ • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 94%CPEs: 73EXPL: 9CVE-2016-2098 – Ruby on Rails ActionPack Inline ERB - Code Execution
https://notcve.org/view.php?id=CVE-2016-2098
Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method. Action Pack en Ruby on Rails en versiones anteriores a 3.2.22.2, 4.x en versiones anteriores a 4.1.14.2 y 4.2.x en versiones anteriores a 4.2.5.2 permite a atacantes remotos ejecutar código Ruby arbitrario aprovechando el uso no restringido del método render de una aplicación. A code injection flaw was found in the way Action View component searched for templates for rendering. If an application passed untrusted input to the 'render' method, a remote, unauthenticated attacker could use this flaw to execute arbitrary code. • https://www.exploit-db.com/exploits/40086 https://github.com/0x00-0x00/CVE-2016-2098 https://github.com/its-arun/CVE-2016-2098 https://github.com/Shakun8/CVE-2016-2098 https://github.com/j4k0m/CVE-2016-2098 https://github.com/Debalinax64/CVE-2016-2098 https://github.com/Alejandro-MartinG/rails-PoC-CVE-2016-2098 https://github.com/3rg1s/CVE-2016-2098 https://github.com/DanielHemmati/CVE-2016-2098-my-first-exploit http://lists.opensuse.org/opensuse-security-announce/ • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 1%CPEs: 86EXPL: 0CVE-2015-7576 – rubygem-actionpack: Timing attack vulnerability in basic authentication in Action Controller
https://notcve.org/view.php?id=CVE-2015-7576
The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences. El método http_basic_authenticate_with en actionpack/lib/action_controller/metal/http_authentication.rb en la implementación Basic Authentication en Action Controller en Ruby on Rails en versiones anteriores a 3.2.22.1, 4.0.x y 4.1.x en versiones anteriores a 4.1.14.1, 4.2.x en versiones anteriores a 4.2.5.1 y 5.x en versiones anteriores a 5.0.0.beta1.1 no usa el algoritmo de tiempo constante para verificar credenciales, lo que hace que sea más fácil para atacantes remotos eludir la autenticación mediante la medición de las diferencias de temporización. A flaw was found in the way the Action Controller component compared user names and passwords when performing HTTP basic authentication. Time taken to compare strings could differ depending on input, possibly allowing a remote attacker to determine valid user names and passwords using a timing attack. • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html http://lists.opensuse.org/opensuse-updates/201 • CWE-254: 7PK - Security Features CWE-385: Covert Timing Channel •