Search CVE reports
1 – 10 of 82 results
CVE-2023-38037
Medium priorityActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current `umask` settings, meaning that it’s possible for other users on...
7 affected packages
rails, rails-4.0, ruby-actionpack-3.2, ruby-activemodel-3.2, ruby-activerecord-3.2...
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
rails | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
rails-4.0 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby-actionpack-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby-activemodel-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby-activerecord-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby-activesupport-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby-rails-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
CVE-2023-28362
Medium priorityThe redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers...
7 affected packages
rails, rails-4.0, ruby-actionpack-3.2, ruby-activemodel-3.2, ruby-activerecord-3.2...
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
rails | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
rails-4.0 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby-actionpack-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby-activemodel-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby-activerecord-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby-activesupport-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby-rails-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
CVE-2023-28120
Medium priorityThere is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.
7 affected packages
rails, rails-4.0, ruby-actionpack-3.2, ruby-activemodel-3.2, ruby-activerecord-3.2...
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
rails | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
rails-4.0 | — | Not in release | Not in release | Not in release | Not in release |
ruby-actionpack-3.2 | — | Not in release | Not in release | Not in release | Not in release |
ruby-activemodel-3.2 | — | Not in release | Not in release | Not in release | Not in release |
ruby-activerecord-3.2 | — | Not in release | Not in release | Not in release | Not in release |
ruby-activesupport-3.2 | — | Not in release | Not in release | Not in release | Not in release |
ruby-rails-3.2 | — | Not in release | Not in release | Not in release | Not in release |
CVE-2023-23913
Medium priorityThere is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when...
7 affected packages
rails, rails-4.0, ruby-actionpack-3.2, ruby-activemodel-3.2, ruby-activerecord-3.2...
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
rails | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
rails-4.0 | — | Not in release | Not in release | Not in release | Not in release |
ruby-actionpack-3.2 | — | Not in release | Not in release | Not in release | Not in release |
ruby-activemodel-3.2 | — | Not in release | Not in release | Not in release | Not in release |
ruby-activerecord-3.2 | — | Not in release | Not in release | Not in release | Not in release |
ruby-activesupport-3.2 | — | Not in release | Not in release | Not in release | Not in release |
ruby-rails-3.2 | — | Not in release | Not in release | Not in release | Not in release |
CVE-2024-26144
Medium priorityRails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user’s session cookie...
7 affected packages
rails, rails-4.0, ruby-actionpack-3.2, ruby-activemodel-3.2, ruby-activerecord-3.2...
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
rails | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
rails-4.0 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby-actionpack-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby-activemodel-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby-activerecord-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby-activesupport-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby-rails-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
CVE-2024-26143
Medium priorityRails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in...
7 affected packages
rails, rails-4.0, ruby-actionpack-3.2, ruby-activemodel-3.2, ruby-activerecord-3.2...
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
rails | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
rails-4.0 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby-actionpack-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby-activemodel-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby-activerecord-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby-activesupport-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby-rails-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
CVE-2024-26142
Medium priorityRails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations...
7 affected packages
rails, rails-4.0, ruby-actionpack-3.2, ruby-activemodel-3.2, ruby-activerecord-3.2...
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
rails | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
rails-4.0 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby-actionpack-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby-activemodel-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby-activerecord-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby-activesupport-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby-rails-3.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
CVE-2023-22797
Medium priorityAn open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing...
7 affected packages
rails, rails-4.0, ruby-actionpack-3.2, ruby-activemodel-3.2, ruby-activerecord-3.2...
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
rails | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
rails-4.0 | — | Not in release | Not in release | Not in release | Not in release |
ruby-actionpack-3.2 | — | Not in release | Not in release | Not in release | Not in release |
ruby-activemodel-3.2 | — | Not in release | Not in release | Not in release | Not in release |
ruby-activerecord-3.2 | — | Not in release | Not in release | Not in release | Not in release |
ruby-activesupport-3.2 | — | Not in release | Not in release | Not in release | Not in release |
ruby-rails-3.2 | — | Not in release | Not in release | Not in release | Not in release |
CVE-2023-22796
Medium priorityA regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of...
7 affected packages
rails, rails-4.0, ruby-actionpack-3.2, ruby-activemodel-3.2, ruby-activerecord-3.2...
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
rails | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
rails-4.0 | — | Not in release | Not in release | Not in release | Not in release |
ruby-actionpack-3.2 | — | Not in release | Not in release | Not in release | Not in release |
ruby-activemodel-3.2 | — | Not in release | Not in release | Not in release | Not in release |
ruby-activerecord-3.2 | — | Not in release | Not in release | Not in release | Not in release |
ruby-activesupport-3.2 | — | Not in release | Not in release | Not in release | Not in release |
ruby-rails-3.2 | — | Not in release | Not in release | Not in release | Not in release |
CVE-2023-22795
Medium priorityA regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of...
7 affected packages
rails, rails-4.0, ruby-actionpack-3.2, ruby-activemodel-3.2, ruby-activerecord-3.2...
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
rails | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
rails-4.0 | — | Not in release | Not in release | Not in release | Not in release |
ruby-actionpack-3.2 | — | Not in release | Not in release | Not in release | Not in release |
ruby-activemodel-3.2 | — | Not in release | Not in release | Not in release | Not in release |
ruby-activerecord-3.2 | — | Not in release | Not in release | Not in release | Not in release |
ruby-activesupport-3.2 | — | Not in release | Not in release | Not in release | Not in release |
ruby-rails-3.2 | — | Not in release | Not in release | Not in release | Not in release |