CVSS: 7.5EPSS: 91%CPEs: 52EXPL: 4CVE-2016-0752 – Ruby on Rails Directory Traversal Vulnerability
https://notcve.org/view.php?id=CVE-2016-0752
01 Feb 2016 — Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. Vulnerabilidad de salto de directorio en Action View en Ruby on Rails en versiones anteriores a 3.2.22.1, 4.0.x y 4.1.x en versiones anteriores a 4.1.14.1, 4.2.x en versiones anteriore... • https://packetstorm.news/files/id/139143 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 2%CPEs: 7EXPL: 0CVE-2016-0753 – rubygem-activerecord: possible input validation circumvention in Active Model
https://notcve.org/view.php?id=CVE-2016-0753
01 Feb 2016 — Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters. Active Model en Ruby on Rails 4.1.x en versiones anteriores a 4.1.14.1, 4.2.x en versiones anteriores a 4.2.5.1 y 5.x en versiones anteriores a 5.0.0.beta1.1 soporta el uso de los escritores a nivel de instancia para descriptores de acceso de clase, lo q... • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 1%CPEs: 86EXPL: 0CVE-2015-7576 – rubygem-actionpack: Timing attack vulnerability in basic authentication in Action Controller
https://notcve.org/view.php?id=CVE-2015-7576
01 Feb 2016 — The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences. El método http_basic_authenticate_with en actionpack/lib/a... • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html • CWE-254: 7PK - Security Features CWE-385: Covert Timing Channel •