CVSS: 7.5EPSS: 94%CPEs: 73EXPL: 9CVE-2016-2098 – Ruby on Rails ActionPack Inline ERB - Code Execution
https://notcve.org/view.php?id=CVE-2016-2098
Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method. Action Pack en Ruby on Rails en versiones anteriores a 3.2.22.2, 4.x en versiones anteriores a 4.1.14.2 y 4.2.x en versiones anteriores a 4.2.5.2 permite a atacantes remotos ejecutar código Ruby arbitrario aprovechando el uso no restringido del método render de una aplicación. A code injection flaw was found in the way Action View component searched for templates for rendering. If an application passed untrusted input to the 'render' method, a remote, unauthenticated attacker could use this flaw to execute arbitrary code. • https://www.exploit-db.com/exploits/40086 https://github.com/0x00-0x00/CVE-2016-2098 https://github.com/its-arun/CVE-2016-2098 https://github.com/Shakun8/CVE-2016-2098 https://github.com/j4k0m/CVE-2016-2098 https://github.com/Debalinax64/CVE-2016-2098 https://github.com/Alejandro-MartinG/rails-PoC-CVE-2016-2098 https://github.com/3rg1s/CVE-2016-2098 https://github.com/DanielHemmati/CVE-2016-2098-my-first-exploit http://lists.opensuse.org/opensuse-security-announce/ • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 1%CPEs: 86EXPL: 0CVE-2015-7576 – rubygem-actionpack: Timing attack vulnerability in basic authentication in Action Controller
https://notcve.org/view.php?id=CVE-2015-7576
The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences. El método http_basic_authenticate_with en actionpack/lib/action_controller/metal/http_authentication.rb en la implementación Basic Authentication en Action Controller en Ruby on Rails en versiones anteriores a 3.2.22.1, 4.0.x y 4.1.x en versiones anteriores a 4.1.14.1, 4.2.x en versiones anteriores a 4.2.5.1 y 5.x en versiones anteriores a 5.0.0.beta1.1 no usa el algoritmo de tiempo constante para verificar credenciales, lo que hace que sea más fácil para atacantes remotos eludir la autenticación mediante la medición de las diferencias de temporización. A flaw was found in the way the Action Controller component compared user names and passwords when performing HTTP basic authentication. Time taken to compare strings could differ depending on input, possibly allowing a remote attacker to determine valid user names and passwords using a timing attack. • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html http://lists.opensuse.org/opensuse-updates/201 • CWE-254: 7PK - Security Features CWE-385: Covert Timing Channel •
CVSS: 7.5EPSS: 2%CPEs: 41EXPL: 0CVE-2015-7581 – rubygem-actionpack: Object leak vulnerability for wildcard controller routes in Action Pack
https://notcve.org/view.php?id=CVE-2015-7581
actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in Ruby on Rails 4.x before 4.2.5.1 and 5.x before 5.0.0.beta1.1 allows remote attackers to cause a denial of service (superfluous caching and memory consumption) by leveraging an application's use of a wildcard controller route. actionpack/lib/action_dispatch/routing/route_set.rb en Action Pack en Ruby on Rails 4.x en versiones anteriores a 4.2.5.1 y 5.x en versiones anteriores a 5.0.0.beta1.1 permite a atacantes remotos causar una denegación de servicio (almacenamiento en caché superfluo y consumo de memoria) aprovechando el uso de una ruta de controlador comodín por una aplicación. A flaw was found in the Action Pack component's caching of controller references. An attacker could use this flaw to cause unbounded memory growth, potentially resulting in a denial of service. • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html http://rhn.redhat.com/errata/RHSA-2016-0296.html http://www.debian.org/security/2016/dsa-3464 http://www.openwall.com/lists/oss-security/2016/01/25/16 http://www.securityfocus.com/bid&#x • CWE-399: Resource Management Errors CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.3EPSS: 0%CPEs: 7EXPL: 0CVE-2016-0753 – rubygem-activerecord: possible input validation circumvention in Active Model
https://notcve.org/view.php?id=CVE-2016-0753
Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters. Active Model en Ruby on Rails 4.1.x en versiones anteriores a 4.1.14.1, 4.2.x en versiones anteriores a 4.2.5.1 y 5.x en versiones anteriores a 5.0.0.beta1.1 soporta el uso de los escritores a nivel de instancia para descriptores de acceso de clase, lo que permite a atacantes remotos eludir los pasos destinados a la validación a través de parámetros manipulados. A flaw was found in the way the Active Model based models processed attributes. An attacker with the ability to pass arbitrary attributes to models could possibly use this flaw to bypass input validation. • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178066.html http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html http://lists.opensuse.org/opens • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 86EXPL: 0CVE-2015-7577 – rubygem-activerecord: Nested attributes rejection proc bypass in Active Record
https://notcve.org/view.php?id=CVE-2015-7577
activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature. activerecord/lib/active_record/nested_attributes.rb en Active Record en Ruby on Rails 3.1.x y 3.2.x en versiones anteriores a 3.2.22.1, 4.0.x y 4.1.x en versiones anteriores a 4.1.14.1, 4.2.x en versiones anteriores a 4.2.5.1 y 5.x en versiones anteriores a 5.0.0.beta1.1 no implementa adecuadamente una cierta opción de destruir, lo que permite a atacantes remotos eludir restricciones destinadas al cambio mediante el aprovechamiento del uso de la funcionalidad de atributos anidados. A flaw was found in the Active Record component's handling of nested attributes in combination with the destroy flag. An attacker could possibly use this flaw to set attributes to invalid values or clear all attributes. • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html http://rhn.redhat.com/errata/RHSA-2016-0296.html http://www.debian.org/security/2016/dsa-3464 http://www.openwall.com/lists/ • CWE-284: Improper Access Control •