Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTc4cmMtOGMyOS1wNDVn
actionpack allows remote code execution via application's unrestricted use of render method
Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.
Permalink: https://github.com/advisories/GHSA-78rc-8c29-p45gJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTc4cmMtOGMyOS1wNDVn
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 6 years ago
Updated: 10 months ago
CVSS Score: 7.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Identifiers: GHSA-78rc-8c29-p45g, CVE-2016-2098
References:
- https://nvd.nist.gov/vuln/detail/CVE-2016-2098
- https://www.exploit-db.com/exploits/40086/
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
- http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/
- http://www.debian.org/security/2016/dsa-3509
- https://web.archive.org/web/20200228015318/http://www.securityfocus.com/bid/83725
- https://web.archive.org/web/20210612214217/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ
- https://web.archive.org/web/20211205173437/https://securitytracker.com/id/1035122
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-2098.yml
- https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q
- https://github.com/advisories/GHSA-78rc-8c29-p45g
Affected Packages
rubygems:actionpack
Dependent packages: 1,669Dependent repositories: 876,080
Downloads: 531,968,200 total
Affected Version Ranges: >= 4.2.0, <= 4.2.5.1, >= 4.0.0, <= 4.1.14.1, >= 3.0.0, <= 3.2.22.1
Fixed in: 4.2.5.2, 4.1.14.2, 3.2.22.2
All affected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.0.15, 3.0.16, 3.0.17, 3.0.18, 3.0.19, 3.0.20, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.2.0, 3.2.1, 3.2.2-2.1, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.1.0, 4.1.1-0.rc1, 4.1.1-0.rc2, 4.1.1-0.rc3, 4.1.1-0.rc4, 4.1.1-2.rc1, 4.1.1-3.rc1, 4.1.1-4.1, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.2.11, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.1.0, 7.1.1, 7.1.2, 7.1.3
All unaffected versions: 0.9.0, 0.9.5, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.8.0, 1.8.1, 1.9.0, 1.9.1, 1.10.1, 1.10.2, 1.11.0, 1.11.1, 1.11.2, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.13.5, 1.13.6, 2.0.0, 2.0.1, 2.0.2, 2.0.4, 2.0.5, 2.1.0, 2.1.1, 2.1.2, 2.2.2, 2.2.3, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 2.3.11, 2.3.12, 2.3.14, 2.3.15, 2.3.16, 2.3.17, 2.3.18, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.2.12, 3.2.13, 3.2.14, 3.2.15, 3.2.16, 3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.2.22, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.1.9, 4.1.10, 4.1.11, 4.1.12, 4.1.13, 4.1.14, 4.1.15, 4.1.16