actionpack 2.3.6
CVE-2013-0156 rubygem-activesupport: Multiple vulnerabilities in parameter parsing in ActionPack
critical severity CVE-2013-0156~> 2.3.15
, ~> 3.0.19
, ~> 3.1.10
, >= 3.2.11
active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.
Possible Information Disclosure / Unintended Method Execution in Action Pack
high severity CVE-2021-22885~> 5.2.4.6
, ~> 5.2.6
, ~> 6.0.3, >= 6.0.3.7
, >= 6.1.3.2
< 2.0.0
There is a possible information disclosure / unintended method execution vulnerability in Action Pack which has been assigned the CVE identifier CVE-2021-22885.
Versions Affected: >= 2.0.0. Not affected: < 2.0.0. Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6
Impact
There is a possible information disclosure / unintended method execution
vulnerability in Action Pack when using the redirect_to
or polymorphic_url
helper with untrusted user input.
Vulnerable code will look like this:
redirect_to(params[:some_param])
All users running an affected release should either upgrade or use one of the workarounds immediately.
Workarounds
To work around this problem, it is recommended to use an allow list for valid parameters passed from the user. For example:
private def check(param)
case param
when "valid"
param
else
"/"
end
end
def index
redirect_to(check(params[:some_param]))
end
Or force the user input to be cast to a string like this:
def index
redirect_to(params[:some_param].to_s)
end
Possible remote code execution vulnerability in Action Pack
high severity CVE-2016-2098~> 3.2.22.2
, ~> 4.2.5, >= 4.2.5.2
, ~> 4.1.14, >= 4.1.14.2
>= 5.0.0.beta1
There is a possible remote code execution vulnerability in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2016-2098.
Versions Affected: 3.2.x, 4.0.x, 4.1.x, 4.2.x Not affected: 5.0+ Fixed Versions: 3.2.22.2, 4.1.14.2, 4.2.5.2
Impact
Applications that pass unverified user input to the render
method in a
controller or a view may be vulnerable to a code injection.
Impacted code will look like this:
class TestController < ApplicationController
def show
render params[:id]
end
end
An attacker could use the request parameters to coerce the above example to execute arbitrary ruby code.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases
The FIXED releases are available at the normal locations.
Workarounds
A workaround to this issue is to not pass arbitrary user input to the render
method. Instead, verify that data before passing it to the render
method.
For example, change this:
def index
render params[:id]
end
To this:
def index
render verify_template(params[:id])
end
private
def verify_template(name)
# add verification logic particular to your application here
end
Patches
To aid users who aren't able to upgrade immediately we have provided a patch for it. It is in git-am format and consist of a single changeset.
- 3-2-secure_inline_with_params.patch - Patch for 3.2 series
- 4-1-secure_inline_with_params.patch - Patch for 4.1 series
- 4-2-secure_inline_with_params.patch - Patch for 4.2 series
Credits
Thanks to both Tobias Kraze from makandra and joernchen of Phenoelit for reporting this!
Possible Information Leak Vulnerability in Action View
high severity CVE-2016-0752>= 5.0.0.beta1.1
, ~> 4.2.5, >= 4.2.5.1
, ~> 4.1.14, >= 4.1.14.1
, ~> 3.2.22.1
>= 4.1.0
There is a possible directory traversal and information leak vulnerability in Action View. This vulnerability has been assigned the CVE identifier CVE-2016-0752.
Versions Affected: All. Not affected: None. Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1
Impact
Applications that pass unverified user input to the render
method in a
controller may be vulnerable to an information leak vulnerability.
Impacted code will look something like this:
def index
render params[:id]
end
Carefully crafted requests can cause the above code to render files from unexpected places like outside the application's view directory, and can possibly escalate this to a remote code execution attack.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases
The FIXED releases are available at the normal locations.
Workarounds
A workaround to this issue is to not pass arbitrary user input to the render
method. Instead, verify that data before passing it to the render
method.
For example, change this:
def index
render params[:id]
end
To this:
def index
render verify_template(params[:id])
end
private
def verify_template(name)
# add verification logic particular to your application here
end
Patches
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
- 3-2-render_data_leak.patch - Patch for 3.2 series
- 4-1-render_data_leak.patch - Patch for 4.1 series
- 4-2-render_data_leak.patch - Patch for 4.2 series
- 5-0-render_data_leak.patch - Patch for 5.0 series
Please note that only the 4.1.x and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
Credits
Thanks John Poulin for reporting this!
Possible Object Leak and Denial of Service attack in Action Pack
high severity CVE-2016-0751>= 5.0.0.beta1.1
, ~> 4.2.5, >= 4.2.5.1
, ~> 4.1.14, >= 4.1.14.1
, ~> 3.2.22.1
There is a possible object leak which can lead to a denial of service vulnerability in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2016-0751.
Versions Affected: All. Not affected: None. Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1
Impact
A carefully crafted accept header can cause a global cache of mime types to grow indefinitely which can lead to a possible denial of service attack in Action Pack.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases
The FIXED releases are available at the normal locations.
Workarounds
This attack can be mitigated by a proxy that only allows known mime types in the Accept header.
Placing the following code in an initializer will also mitigate the issue:
require 'action_dispatch/http/mime_type'
Mime.const_set :LOOKUP, Hash.new { |h,k|
Mime::Type.new(k) unless k.blank?
}
Patches
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
- 5-0-mime_types_leak.patch - Patch for 5.0 series
- 4-2-mime_types_leak.patch - Patch for 4.2 series
- 4-1-mime_types_leak.patch - Patch for 4.1 series
- 3-2-mime_types_leak.patch - Patch for 3.2 series
Please note that only the 4.1.x and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
Credits
Aaron Patterson <3<3
CSRF Protection Bypass in Ruby on Rails
high severity CVE-2011-0447~> 2.3.11
, >= 3.0.4
< 2.1.0
Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage "combinations of browser plugins and HTTP redirects," a related issue to CVE-2011-0696.
Possible XSS via User Supplied Values to redirect_to
medium severity CVE-2023-28362~> 6.1.7.4
, >= 7.0.5.1
The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. This vulnerability has been assigned the CVE identifier CVE-2023-28362.
Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4
Impact
This introduces the potential for a Cross-site-scripting (XSS) payload to be delivered on the now static redirection page. Note that this both requires user interaction and for a Rails app to be configured to allow redirects to external hosts (defaults to false in Rails >= 7.0.x).
Releases
The FIXED releases are available at the normal locations.
Workarounds
Avoid providing user supplied URLs with arbitrary schemes to the redirect_to method.
Ability to forge per-form CSRF tokens given a global CSRF token
medium severity CVE-2020-8166~> 5.2.4, >= 5.2.4.3
, >= 6.0.3.1
It is possible to possible to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token for any action for that session.
Versions Affected: rails < 5.2.5, rails < 6.0.4 Not affected: Applications without existing HTML injection vulnerabilities. Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1
Impact
Given the ability to extract the global CSRF token, an attacker would be able to construct a per-form CSRF token for that session.
Workarounds
This is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded.
Possible Information Leak Vulnerability in Action View
medium severity CVE-2016-2097~> 3.2.22.2
, ~> 4.1.14
, >= 4.1.14.2
>= 4.1.0
There is a possible directory traversal and information leak vulnerability in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2 patch was not covering all the scenarios. This vulnerability has been assigned the CVE identifier CVE-2016-2097.
Versions Affected: 3.2.x, 4.0.x, 4.1.x Not affected: 4.2+ Fixed Versions: 3.2.22.2, 4.1.14.2
Impact
Applications that pass unverified user input to the render
method in a
controller may be vulnerable to an information leak vulnerability.
Impacted code will look something like this:
def index
render params[:id]
end
Carefully crafted requests can cause the above code to render files from unexpected places like outside the application's view directory, and can possibly escalate this to a remote code execution attack.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases
The FIXED releases are available at the normal locations.
Workarounds
A workaround to this issue is to not pass arbitrary user input to the render
method. Instead, verify that data before passing it to the render
method.
For example, change this:
def index
render params[:id]
end
To this:
def index
render verify_template(params[:id])
end
private
def verify_template(name)
# add verification logic particular to your application here
end
Patches
To aid users who aren't able to upgrade immediately we have provided patches for it. It is in git-am format and consist of a single changeset.
- 3-2-render_data_leak_2.patch - Patch for 3.2 series
- 4-1-render_data_leak_2.patch - Patch for 4.1 series
Credits
Thanks to both Jyoti Singh and Tobias Kraze from makandra for reporting this and working with us in the patch!
Timing attack vulnerability in basic authentication in Action Controller.
medium severity CVE-2015-7576>= 5.0.0.beta1.1
, ~> 4.2.5, >= 4.2.5.1
, ~> 4.1.14, >= 4.1.14.1
, ~> 3.2.22.1
There is a timing attack vulnerability in the basic authentication support in Action Controller. This vulnerability has been assigned the CVE identifier CVE-2015-7576.
Versions Affected: All. Not affected: None. Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1
Impact
Due to the way that Action Controller compares user names and passwords in basic authentication authorization code, it is possible for an attacker to analyze the time taken by a response and intuit the password.
For example, this string comparison:
"foo" == "bar"
is possibly faster than this comparison:
"foo" == "fo1"
Attackers can use this information to attempt to guess the username and password used in the basic authentication system.
You can tell you application is vulnerable to this attack by looking for
http_basic_authenticate_with
method calls in your application.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases
The FIXED releases are available at the normal locations.
Workarounds
If you can't upgrade, please use the following monkey patch in an initializer that is loaded before your application:
$ cat config/initializers/basic_auth_fix.rb
module ActiveSupport
module SecurityUtils
def secure_compare(a, b)
return false unless a.bytesize == b.bytesize
l = a.unpack "C#{a.bytesize}"
res = 0
b.each_byte { |byte| res |= byte ^ l.shift }
res == 0
end
module_function :secure_compare
def variable_size_secure_compare(a, b)
secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b))
end
module_function :variable_size_secure_compare
end
end
module ActionController
class Base
def self.http_basic_authenticate_with(options = {})
before_action(options.except(:name, :password, :realm)) do
authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password|
# This comparison uses & so that it doesn't short circuit and
# uses `variable_size_secure_compare` so that length information
# isn't leaked.
ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) &
ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password])
end
end
end
end
end
Patches
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
- 4-1-basic_auth.patch - Patch for 4.1 series
- 4-2-basic_auth.patch - Patch for 4.2 series
- 5-0-basic_auth.patch - Patch for 5.0 series
Please note that only the 4.1.x and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
Credits
Thank you to Daniel Waterworth for reporting the problem and working with us to fix it.
Directory Traversal Vulnerability With Certain Route Configurations
medium severity CVE-2014-0130~> 3.2.18
, ~> 4.0.5
, >= 4.1.1
There is a vulnerability in the 'implicit render' functionality in Ruby on Rails.The implicit render functionality allows controllers to render a template, even if there is no explicit action with the corresponding name. This module does not perform adequate input sanitization which could allow an attacker to use a specially crafted request to retrieve arbitrary files from the rails application server.
CVE-2014-0082 rubygem-actionpack: Action View string handling denial of service
medium severity CVE-2014-0082>= 3.2.17
>= 4.0.0
actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers.
CVE-2014-0081 rubygem-actionpack: number_to_currency, number_to_percentage and number_to_human XSS vulnerability
medium severity CVE-2014-0081~> 3.2.17
, ~> 4.0.3
, >= 4.1.0.beta2
Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper.
Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk)
medium severity CVE-2013-6417~> 3.2.16
, >= 4.0.2
The prior fix to CVE-2013-0155 was incomplete and the use of common 3rd party libraries can accidentally circumvent the protection. Due to the way that Rack::Request and Rails::Request interact, it is possible for a 3rd party or custom rack middleware to parse the parameters insecurely and store them in the same key that Rails uses for its own parameters. In the event that happens the application will receive unsafe parameters and could be vulnerable to the earlier vulnerability.
XSS Vulnerability in number_to_currency
medium severity CVE-2013-6415~> 3.2.16
, >= 4.0.2
There is an XSS vulnerability in the number_to_currency helper in Ruby on Raile. The number_to_currency helper allows users to nicely format a numeric value. One of the parameters to the helper (unit) is not escaped correctly. Applications which pass user controlled data as the unit parameter are vulnerable to an XSS attack.
Reflective XSS Vulnerability in Ruby on Rails
medium severity CVE-2013-4491~> 3.2.16
, >= 4.0.2
There is a vulnerability in the internationalization component of Ruby on Rails. Under certain common configurations an attacker can provide specially crafted input which will execute a reflective XSS attack.
The root cause of this issue is a vulnerability in the i18n gem which has been assigned the identifier CVE-2013-4492.
CVE-2013-1857 rubygem-actionpack: sanitize_protocol: XSS Vulnerability in the helper of Ruby on Rails
medium severity CVE-2013-1857~> 2.3.18
, ~> 3.1.12
, >= 3.2.13
'The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded : (colon) characters in URLs, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted scheme name, as demonstrated by including a : sequence. A cross-site scripting (XSS) flaw was found in Action Pack. A remote attacker could use this flaw to conduct XSS attacks against users of an application using Action Pack.'
CVE-2013-1855 rubygem-actionpack: css_sanitization: XSS vulnerability in sanitize_css
medium severity CVE-2013-1855~> 2.3.18
, ~> 3.1.12
, >= 3.2.13
The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences. A cross-site scripting (XSS) flaw was found in Action Pack. A remote attacker could use this flaw to conduct XSS attacks against users of an application using Action Pack.
CVE-2012-3465 rubygem-actionpack: XSS Vulnerability in strip_tags
medium severity CVE-2012-3465~> 3.0.17
, ~> 3.1.8
, >= 3.2.8
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb in the strip_tags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup.
actionpack Improper Authentication vulnerability
medium severity CVE-2012-3424< 3.0.16
The decode_credentials
method in actionpack/lib/action_controller/metal/http_authentication.rb
in Ruby on Rails before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a with_http_digest
helper method, as demonstrated by the authenticate_or_request_with_http_digest
method.
Unsafe Query Generation Risk in Ruby on Rails
medium severity CVE-2012-2694~> 3.0.14
, ~> 3.1.6
, >= 3.2.6
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "['xyz', nil]" values, a related issue to CVE-2012-2660.
Unsafe Query Generation Risk in Ruby on Rails
medium severity CVE-2012-2660~> 3.0.13
, ~> 3.1.5
, >= 3.2.4
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2694.
CVE-2012-1099 rubygem-actionpack: XSS in the "select" helper
medium severity CVE-2012-1099~> 3.0.12
, ~> 3.1.4
, >= 3.2.2
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving certain generation of OPTION elements within SELECT elements.
Ruby on rails 3.0.5 Remote_IP.rb Input Validation in rails/actionpack
medium severity CVE-2011-3187>= 2.3.13
< 2.3.0
The to_s method in actionpack/lib/action_dispatch/middleware/remote_ip.rb in Ruby on Rails 3.0.5 does not validate the X-Forwarded-For header in requests from IP addresses on a Class C network, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header.
Response Splitting Vulnerability in Ruby on Rails
medium severity CVE-2011-3186>= 2.3.13
A response splitting flaw in Ruby on Rails 2.3.x was reported that could allow a remote attacker to inject arbitrary HTTP headers into a response due to insufficient sanitization of the values provided for response content types.
actionpack Cross-site Scripting vulnerability
medium severity CVE-2011-2931>= 2.0.0, < 2.3.13
Cross-site scripting (XSS) vulnerability in the strip_tags
helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name.
Potential XSS Vulnerability in Ruby on Rails Applications
medium severity CVE-2011-2197~> 2.3.12
, >= 3.0.8
The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method.
Cross site scripting in rails/actionpack < 3.0.6
medium severity CVE-2011-1497>= 3.0.6
A cross-site scripting vulnerability flaw was found in the auto_link function in Rails before version 3.0.6.
XSS vulnerabilities in the mail_to helper in rails/actionpack
medium severity CVE-2011-0446~> 2.3.11
, >= 3.0.4
Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value.
ReDoS based DoS vulnerability in Action Dispatch
low severity CVE-2023-22795~> 5.2.8, >= 5.2.8.15
, ~> 6.1.7, >= 6.1.7.1
, >= 7.0.4.1
There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795.
Versions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1
Impact
A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
Workarounds
We recommend that all users upgrade to one of the FIXED versions. In the meantime, users can mitigate this vulnerability by using a load balancer or other device to filter out malicious If-None-Match headers before they reach the application.
Users on Ruby 3.2.0 or greater are not affected by this vulnerability.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
Author did not declare license for this gem in the gemspec.
This gem version has a MIT license in the source code, however it was not declared in the gemspec file.
This gem version is available.
This gem version has not been yanked and is still available for usage.