CVE-2007-5379

Published: 19 October 2007

Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file.

Priority

Status

Package	Release	Status
rails Launchpad, Ubuntu, Debian	dapper	Ignored (reached end-of-life)
	edgy	Needed (reached end-of-life)
	feisty	Needed (reached end-of-life)
	gutsy	Not vulnerable
	hardy	Not vulnerable
	intrepid	Not vulnerable
	jaunty	Not vulnerable
	karmic	Not vulnerable
	lucid	Not vulnerable
	upstream	Released (1.2.4)

References

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429177
http://dev.rubyonrails.org/changeset/7087
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5379
NVD
Launchpad
Debian

Bugs

https://bugs.launchpad.net/ubuntu/+source/rails/+bug/163832

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›