GHSA-78rc-8c29-p45g

Source

https://github.com/advisories/GHSA-78rc-8c29-p45g

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-78rc-8c29-p45g/GHSA-78rc-8c29-p45g.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-78rc-8c29-p45g

Aliases

CVE-2016-2098

Published

2017-10-24T18:33:35Z

Modified

2024-02-20T05:30:32.973141Z

Severity

7.3 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

actionpack allows remote code execution via application's unrestricted use of render method

Details

Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.

References

Affected packages

RubyGems / actionpack

Package

Name: actionpack
Purl: pkg:gem/actionpack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.2.22.2

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4.rc1

3.0.4

3.0.5.rc1

3.0.5

3.0.6.rc1

3.0.6.rc2

3.0.6

3.0.7.rc1

3.0.7.rc2

3.0.7

3.0.8.rc1

3.0.8.rc2

3.0.8.rc4

3.0.8

3.0.9.rc1

3.0.9.rc3

3.0.9.rc4

3.0.9.rc5

3.0.9

3.0.10.rc1

3.0.10

3.0.11

3.0.12.rc1

3.0.12

3.0.13.rc1

3.0.13

3.0.14

3.0.15

3.0.16

3.0.17

3.0.18

3.0.19

3.0.20

3.1.0.beta1

3.1.0.rc1

3.1.0.rc2

3.1.0.rc3

3.1.0.rc4

3.1.0.rc5

3.1.0.rc6

3.1.0.rc8

3.1.0

3.1.1.rc1

3.1.1.rc2

3.1.1.rc3

3.1.1

3.1.2.rc1

3.1.2.rc2

3.1.2

3.1.3

3.1.4.rc1

3.1.4

3.1.5.rc1

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.2.0.rc1

3.2.0.rc2

3.2.0

3.2.1

3.2.2.rc1

3.2.2

3.2.3.rc1

3.2.3.rc2

3.2.3

3.2.4.rc1

3.2.4

3.2.5

3.2.6

3.2.7.rc1

3.2.7

3.2.8.rc1

3.2.8.rc2

3.2.8

3.2.9.rc1

3.2.9.rc2

3.2.9.rc3

3.2.9

3.2.10

3.2.11

3.2.12

3.2.13.rc1

3.2.13.rc2

3.2.13

3.2.14.rc1

3.2.14.rc2

3.2.14

3.2.15.rc1

3.2.15.rc2

3.2.15.rc3

3.2.15

3.2.16

3.2.17

3.2.18

3.2.19

3.2.20

3.2.21

3.2.22

3.2.22.1

Database specific

{
    "last_known_affected_version_range": "<= 3.2.22.1"
}

RubyGems / actionpack

Package

Name: actionpack
Purl: pkg:gem/actionpack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.1.14.2

Affected versions

4.*

4.0.0

4.0.1.rc1

4.0.1.rc2

4.0.1.rc3

4.0.1.rc4

4.0.1

4.0.2

4.0.3

4.0.4.rc1

4.0.4

4.0.5

4.0.6.rc1

4.0.6.rc2

4.0.6.rc3

4.0.6

4.0.7

4.0.8

4.0.9

4.0.10.rc1

4.0.10.rc2

4.0.10

4.0.11

4.0.11.1

4.0.12

4.0.13.rc1

4.0.13

4.1.0.beta1

4.1.0.beta2

4.1.0.rc1

4.1.0.rc2

4.1.0

4.1.1

4.1.2.rc1

4.1.2.rc2

4.1.2.rc3

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6.rc1

4.1.6.rc2

4.1.6

4.1.7

4.1.7.1

4.1.8

4.1.9.rc1

4.1.9

4.1.10.rc1

4.1.10.rc2

4.1.10.rc3

4.1.10.rc4

4.1.10

4.1.11

4.1.12.rc1

4.1.12

4.1.13.rc1

4.1.13

4.1.14.rc1

4.1.14.rc2

4.1.14

4.1.14.1

Database specific

{
    "last_known_affected_version_range": "<= 4.1.14.1"
}

RubyGems / actionpack

Package

Name: actionpack
Purl: pkg:gem/actionpack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.2.0

Fixed

4.2.5.2

Affected versions

4.*

4.2.0

4.2.1.rc1

4.2.1.rc2

4.2.1.rc3

4.2.1.rc4

4.2.1

4.2.2

4.2.3.rc1

4.2.3

4.2.4.rc1

4.2.4

4.2.5.rc1

4.2.5.rc2

4.2.5

4.2.5.1

Database specific

{
    "last_known_affected_version_range": "<= 4.2.5.1"
}