CVE-2021-22885 – rubygem-actionpack: Possible Information Disclosure / Unintended Method Execution in Action Pack
https://notcve.org/view.php?id=CVE-2021-22885
A possible information disclosure / unintended method execution vulnerability in Action Pack >= 2.0.0 when using the `redirect_to` or `polymorphic_url`helper with untrusted user input. Una posible vulnerabilidad de divulgación de información y ejecución de método no intecional en Action Pack versiones posteriores a 2.0.0 e incluyéndola, cuando se usa la ayuda "redirect_to" o "polymorphic_url" con la entrada de un usuario no confiable A flaw was found in rubygem-actionpack. Information disclosure or unintended method execution is possible when using the `redirect_to` or `polymorphic_url` helper with untrusted user input. The highest threat from this vulnerability is to data confidentiality. • https://hackerone.com/reports/1106652 https://security.netapp.com/advisory/ntap-20210805-0009 https://www.debian.org/security/2021/dsa-4929 https://access.redhat.com/security/cve/CVE-2021-22885 https://bugzilla.redhat.com/show_bug.cgi?id=1957441 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-209: Generation of Error Message Containing Sensitive Information •
CVE-2020-8159
https://notcve.org/view.php?id=CVE-2020-8159
There is a vulnerability in actionpack_page-caching gem < v1.2.1 that allows an attacker to write arbitrary files to a web server, potentially resulting in remote code execution if the attacker can write unescaped ERB to a view. Se presenta una vulnerabilidad en la función Actionpack_page-caching en gem versión anterior a v1.2.1, que permite a un atacante escribir archivos arbitrarios en un servidor web, resultando potencialmente en una ejecución de código remota si el atacante puede escribir un ERB no escapado en una vista. • https://groups.google.com/forum/#%21topic/rubyonrails-security/CFRVkEytdP8 https://lists.debian.org/debian-lts-announce/2021/07/msg00019.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •