Search CVE reports
41 – 50 of 79 results
CVE-2019-5418
Medium priorityThere is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed.
7 affected packages
rails, rails-4.0, ruby-actionpack-3.2, ruby-activemodel-3.2, ruby-activerecord-3.2...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| rails | Not affected | Not affected | Not affected | Vulnerable | Vulnerable |
| rails-4.0 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby-actionpack-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby-activemodel-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby-activerecord-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby-activesupport-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby-rails-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
CVE-2018-16477
Medium priorityA bypass vulnerability in Active Storage >= 5.2.0 for Google Cloud Storage and Disk services allow an attacker to modify the `content-disposition` and `content-type` parameters which can be used in with HTML files and have them...
7 affected packages
rails, rails-4.0, ruby-actionpack-3.2, ruby-activemodel-3.2, ruby-activerecord-3.2...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| rails | — | — | — | Not affected | Not affected |
| rails-4.0 | — | — | — | Not in release | Not in release |
| ruby-actionpack-3.2 | — | — | — | Not in release | Not in release |
| ruby-activemodel-3.2 | — | — | — | Not in release | Not in release |
| ruby-activerecord-3.2 | — | — | — | Not in release | Not in release |
| ruby-activesupport-3.2 | — | — | — | Not in release | Not in release |
| ruby-rails-3.2 | — | — | — | Not in release | Not in release |
CVE-2018-16476
Medium priorityA Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not...
7 affected packages
rails, rails-4.0, ruby-actionpack-3.2, ruby-activemodel-3.2, ruby-activerecord-3.2...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| rails | Not affected | Vulnerable | Vulnerable | Vulnerable | Vulnerable |
| rails-4.0 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby-actionpack-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby-activemodel-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby-activerecord-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby-activesupport-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby-rails-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
CVE-2018-3779
High priorityactive-support ruby gem 5.2.0 could allow a remote attacker to execute arbitrary code on the system, caused by containing a malicious backdoor. An attacker could exploit this vulnerability to execute arbitrary code on the system.
7 affected packages
rails, rails-4.0, ruby-actionpack-3.2, ruby-activemodel-3.2, ruby-activerecord-3.2...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| rails | — | — | — | Not affected | Not affected |
| rails-4.0 | — | — | — | Not in release | Not in release |
| ruby-actionpack-3.2 | — | — | — | Not in release | Not in release |
| ruby-activemodel-3.2 | — | — | — | Not in release | Not in release |
| ruby-activerecord-3.2 | — | — | — | Not in release | Not in release |
| ruby-activesupport-3.2 | — | — | — | Not in release | Not in release |
| ruby-rails-3.2 | — | — | — | Not in release | Not in release |
CVE-2017-17920
Low priority** DISPUTED ** SQL injection vulnerability in the 'reorder' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes this issue because...
7 affected packages
rails, rails-4.0, ruby-actionpack-3.2, ruby-activemodel-3.2, ruby-activerecord-3.2...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| rails | Not affected | Not affected | Not affected | Not affected | Not affected |
| rails-4.0 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby-actionpack-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby-activemodel-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby-activerecord-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby-activesupport-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby-rails-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
CVE-2017-17919
Low priority** DISPUTED ** SQL injection vulnerability in the 'order' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id desc' parameter. NOTE: The vendor disputes this...
7 affected packages
rails, rails-4.0, ruby-actionpack-3.2, ruby-activemodel-3.2, ruby-activerecord-3.2...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| rails | Not affected | Not affected | Not affected | Not affected | Not affected |
| rails-4.0 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby-actionpack-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby-activemodel-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby-activerecord-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby-activesupport-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby-rails-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
CVE-2017-17917
Low priority** DISPUTED ** SQL injection vulnerability in the 'where' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id' parameter. NOTE: The vendor disputes this issue because the...
7 affected packages
rails, rails-4.0, ruby-actionpack-3.2, ruby-activemodel-3.2, ruby-activerecord-3.2...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| rails | Not affected | Not affected | Not affected | Not affected | Not affected |
| rails-4.0 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby-actionpack-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby-activemodel-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby-activerecord-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby-activesupport-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby-rails-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
CVE-2017-17916
Low priority** DISPUTED ** SQL injection vulnerability in the 'find_by' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes this issue because...
7 affected packages
rails, rails-4.0, ruby-actionpack-3.2, ruby-activemodel-3.2, ruby-activerecord-3.2...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| rails | Not affected | Not affected | Not affected | Not affected | Not affected |
| rails-4.0 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby-actionpack-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby-activemodel-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby-activerecord-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby-activesupport-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby-rails-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
CVE-2016-6317
Medium priorityAction Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended...
11 affected packages
rails, rails-4.0, ruby-actionpack-2.3, ruby-actionpack-3.2, ruby-activemodel-3.2...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| rails | — | — | — | Not affected | Not affected |
| rails-4.0 | — | — | — | Not in release | Not in release |
| ruby-actionpack-2.3 | — | — | — | Not in release | Not in release |
| ruby-actionpack-3.2 | — | — | — | Not in release | Not in release |
| ruby-activemodel-3.2 | — | — | — | Not in release | Not in release |
| ruby-activerecord-2.3 | — | — | — | Not in release | Not in release |
| ruby-activerecord-3.2 | — | — | — | Not in release | Not in release |
| ruby-activesupport-2.3 | — | — | — | Not in release | Not in release |
| ruby-activesupport-3.2 | — | — | — | Not in release | Not in release |
| ruby-rails-2.3 | — | — | — | Not in release | Not in release |
| ruby-rails-3.2 | — | — | — | Not in release | Not in release |
CVE-2016-6316
Medium priorityCross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as...
11 affected packages
rails, rails-4.0, ruby-actionpack-2.3, ruby-actionpack-3.2, ruby-activemodel-3.2...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| rails | — | — | — | Not affected | Not affected |
| rails-4.0 | — | — | — | Not in release | Not in release |
| ruby-actionpack-2.3 | — | — | — | Not in release | Not in release |
| ruby-actionpack-3.2 | — | — | — | Not in release | Not in release |
| ruby-activemodel-3.2 | — | — | — | Not in release | Not in release |
| ruby-activerecord-2.3 | — | — | — | Not in release | Not in release |
| ruby-activerecord-3.2 | — | — | — | Not in release | Not in release |
| ruby-activesupport-2.3 | — | — | — | Not in release | Not in release |
| ruby-activesupport-3.2 | — | — | — | Not in release | Not in release |
| ruby-rails-2.3 | — | — | — | Not in release | Not in release |
| ruby-rails-3.2 | — | — | — | Not in release | Not in release |