Search CVE reports

61 – 70 of 148 results

Detailed view

Sort by:

CVE-2019-5419

Medium priority

Vulnerable

There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive.

7 affected packages

rails, rails-4.0, ruby-actionpack-3.2, ruby-activemodel-3.2, ruby-activerecord-3.2...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
rails	Not affected	Not affected	Not affected	Vulnerable
rails-4.0	Not in release	Not in release	Not in release	Not in release
ruby-actionpack-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activemodel-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activerecord-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activesupport-3.2	Not in release	Not in release	Not in release	Not in release
ruby-rails-3.2	Not in release	Not in release	Not in release	Not in release

CVE-2019-5418

Medium priority

Vulnerable

There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system’s filesystem to be exposed.

7 affected packages

rails, rails-4.0, ruby-actionpack-3.2, ruby-activemodel-3.2, ruby-activerecord-3.2...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
rails	Not affected	Not affected	Not affected	Vulnerable
rails-4.0	Not in release	Not in release	Not in release	Not in release
ruby-actionpack-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activemodel-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activerecord-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activesupport-3.2	Not in release	Not in release	Not in release	Not in release
ruby-rails-3.2	Not in release	Not in release	Not in release	Not in release

CVE-2018-16477

Medium priority

Not affected

A bypass vulnerability in Active Storage >= 5.2.0 for Google Cloud Storage and Disk services allow an attacker to modify the `content-disposition` and `content-type` parameters which can be used in with HTML files and have them...

7 affected packages

rails, rails-4.0, ruby-actionpack-3.2, ruby-activemodel-3.2, ruby-activerecord-3.2...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
rails	—	—	—	Not affected
rails-4.0	—	—	—	Not in release
ruby-actionpack-3.2	—	—	—	Not in release
ruby-activemodel-3.2	—	—	—	Not in release
ruby-activerecord-3.2	—	—	—	Not in release
ruby-activesupport-3.2	—	—	—	Not in release
ruby-rails-3.2	—	—	—	Not in release

CVE-2018-16476

Medium priority

Vulnerable

A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not...

7 affected packages

rails, rails-4.0, ruby-actionpack-3.2, ruby-activemodel-3.2, ruby-activerecord-3.2...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
rails	Not affected	Vulnerable	Vulnerable	Vulnerable
rails-4.0	Not in release	Not in release	Not in release	Not in release
ruby-actionpack-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activemodel-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activerecord-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activesupport-3.2	Not in release	Not in release	Not in release	Not in release
ruby-rails-3.2	Not in release	Not in release	Not in release	Not in release

CVE-2018-3779

High priority

Ignored

active-support ruby gem 5.2.0 could allow a remote attacker to execute arbitrary code on the system, caused by containing a malicious backdoor. An attacker could exploit this vulnerability to execute arbitrary code on the system.

7 affected packages

rails, rails-4.0, ruby-actionpack-3.2, ruby-activemodel-3.2, ruby-activerecord-3.2...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
rails	—	—	—	Not affected
rails-4.0	—	—	—	Not in release
ruby-actionpack-3.2	—	—	—	Not in release
ruby-activemodel-3.2	—	—	—	Not in release
ruby-activerecord-3.2	—	—	—	Not in release
ruby-activesupport-3.2	—	—	—	Not in release
ruby-rails-3.2	—	—	—	Not in release

CVE-2016-10522

Medium priority

Vulnerable

rails_admin ruby gem <v1.1.1 is vulnerable to cross-site request forgery (CSRF) attacks. Non-GET methods were not validating CSRF tokens and, as a result, an attacker could hypothetically gain access to the...

1 affected package

ruby-rails-admin

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
ruby-rails-admin	Not in release	Not in release	Not in release	Vulnerable

CVE-2018-3741

Medium priority

Vulnerable

There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and...

1 affected package

ruby-rails-html-sanitizer

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
ruby-rails-html-sanitizer	Not affected	Not affected	Not affected	Not affected

CVE-2017-12098

Medium priority

Vulnerable

An exploitable cross site scripting (XSS) vulnerability exists in the add filter functionality of the rails_admin rails gem version 1.2.0. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to...

1 affected package

ruby-rails-admin

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
ruby-rails-admin	Not in release	Not in release	Not in release	Vulnerable

CVE-2017-17920

Low priority

Ignored

** DISPUTED ** SQL injection vulnerability in the ‘reorder’ method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the ‘name’ parameter. NOTE: The vendor disputes this issue because...

7 affected packages

rails, rails-4.0, ruby-actionpack-3.2, ruby-activemodel-3.2, ruby-activerecord-3.2...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
rails	Not affected	Not affected	Not affected	Not affected
rails-4.0	Not in release	Not in release	Not in release	Not in release
ruby-actionpack-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activemodel-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activerecord-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activesupport-3.2	Not in release	Not in release	Not in release	Not in release
ruby-rails-3.2	Not in release	Not in release	Not in release	Not in release

CVE-2017-17919

Low priority

Ignored

** DISPUTED ** SQL injection vulnerability in the ‘order’ method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the ‘id desc’ parameter. NOTE: The vendor disputes this...

7 affected packages

rails, rails-4.0, ruby-actionpack-3.2, ruby-activemodel-3.2, ruby-activerecord-3.2...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
rails	Not affected	Not affected	Not affected	Not affected
rails-4.0	Not in release	Not in release	Not in release	Not in release
ruby-actionpack-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activemodel-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activerecord-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activesupport-3.2	Not in release	Not in release	Not in release	Not in release
ruby-rails-3.2	Not in release	Not in release	Not in release	Not in release

Export to JSON

Results by page: