CVE-2007-5379
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file.
El Rails anterior al 1.2.4, como el utilizado en el "Ruby on Rails", permite a atacantes remotos y a los servidores ActiveResource determinar la existencia de ficheros de su elección y leer ficheros XML de su elección a través del método Hash.from_xml (Hash#from_xml), el cual utiliza XmlSimple (XML::Simple) en modo no seguro, como lo demostrado leyendo las contraseñas del fichero Pidgin (Gaim) .purple/accounts.xml.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2007-10-11 CVE Reserved
- 2007-10-19 CVE Published
- 2024-08-07 CVE Updated
- 2024-09-29 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (13)
| URL | Tag | Source |
|---|---|---|
| http://bugs.gentoo.org/show_bug.cgi?id=195315 | X_refsource_confirm | |
| http://dev.rubyonrails.org/ticket/8453 | X_refsource_confirm | |
| http://docs.info.apple.com/article.html?artnum=307179 | X_refsource_confirm | |
| http://osvdb.org/40717 | Vdb Entry | |
| http://secunia.com/advisories/27657 | Third Party Advisory | |
| http://secunia.com/advisories/28136 | Third Party Advisory | |
| http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release | X_refsource_confirm | |
| http://www.us-cert.gov/cas/techalerts/TA07-352A.html | Third Party Advisory | |
| http://www.vupen.com/english/advisories/2007/3508 | Vdb Entry | |
| http://www.vupen.com/english/advisories/2007/4238 | Vdb Entry |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://www.securityfocus.com/bid/26096 | 2012-10-31 |
| URL | Date | SRC |
|---|---|---|
| http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html | 2012-10-31 | |
| http://security.gentoo.org/glsa/glsa-200711-17.xml | 2012-10-31 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| David Hansson Search vendor "David Hansson" | Ruby On Rails Search vendor "David Hansson" for product "Ruby On Rails" | <= 1.2.3 Search vendor "David Hansson" for product "Ruby On Rails" and version " <= 1.2.3" | - |
Affected
| ||||||