rails 0.14.3

11 security vulnerabilities found in version 0.14.3

High Security Vulnerability with authenticate_with_http_digest of Rails

critical severity CVE-2009-2422
critical severity CVE-2009-2422
Patched versions: >= 2.3.3

The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password.

High severity vulnerability that affects rails

high severity CVE-2008-4094
high severity CVE-2008-4094
Affected versions: < 2.1.1

Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.

Moderate severity vulnerability that affects rails

high severity CVE-2007-6077
high severity CVE-2007-6077
Patched versions: >= 1.2.6

The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks.

NOTE: this is due to an incomplete fix for CVE-2007-5380.

Moderate severity vulnerability that affects rails

high severity CVE-2007-5380
high severity CVE-2007-5380
Patched versions: >= 1.2.4

Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to "URL-based sessions."

Rails vulnerable to Cross-site Scripting

medium severity CVE-2014-0081
medium severity CVE-2014-0081
Patched versions: ~> 3.2.17, ~> 4.0.3, ~> 4.1.0.beta2, >= 4.1.0

Multiple cross-site scripting (XSS) vulnerabilities in "actionview/lib/action_view/helpers/number_helper.rb" in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper.

Cross site scripting in rails

medium severity CVE-2011-1497
medium severity CVE-2011-1497
Affected versions: < 3.0.6

A cross-site scripting vulnerability flaw was found in the auto_link function in Rails before version 3.0.6.

Moderate severity vulnerability that affects rails

medium severity CVE-2011-0446
medium severity CVE-2011-0446
Affected versions: < 2.3.11

Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value.

Moderate severity XSS vulnerability that affects rails

medium severity CVE-2009-4214
medium severity CVE-2009-4214
Patched versions: ~> 2.2.2, >= 2.3.5

Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters,related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.

Moderate severity vulnerability that affects rails

medium severity CVE-2008-5189
medium severity CVE-2008-5189
Patched versions: >= 2.0.5

CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function.

Moderate severity vulnerability that affects rails

medium severity CVE-2007-5379
medium severity CVE-2007-5379
Patched versions: >= 1.2.5

Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file.

Moderate severity vulnerability that affects rails

medium severity CVE-2007-3227
medium severity CVE-2007-3227
Patched versions: >= 1.2.5

Cross-site scripting (XSS) vulnerability in the to_json (ActiveRecord::Base#to_json) function in Ruby on Rails before edge 9606 allows remote attackers to inject arbitrary web script via the input values.

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

Gem version without a license.


Unless a license that specifies otherwise is included, nobody can use, copy, distribute, or modify this library without being at risk of take-downs, shake-downs, or litigation.

This gem version is available.


This gem version has not been yanked and is still available for usage.