Search CVE reports

61 – 70 of 148 results

Detailed view

Sort by:

CVE-2019-5419

Medium priority

Vulnerable

There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive.

7 affected packages

rails-4.0, ruby-actionpack-3.2, ruby-activemodel-3.2, ruby-activerecord-3.2, ruby-activesupport-3.2...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
rails-4.0	Not in release	Not in release	Not in release	Not in release
ruby-actionpack-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activemodel-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activerecord-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activesupport-3.2	Not in release	Not in release	Not in release	Not in release
rails	Not affected	Not affected	Not affected	Vulnerable
ruby-rails-3.2	Not in release	Not in release	Not in release	Not in release

CVE-2019-5418

High priority

Some fixes available 2 of 4

There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed.

7 affected packages

rails, rails-4.0, ruby-actionpack-3.2, ruby-activemodel-3.2, ruby-activerecord-3.2...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
rails	Not affected	Not affected	Not affected	Fixed
rails-4.0	Not in release	Not in release	Not in release	Not in release
ruby-actionpack-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activemodel-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activerecord-3.2	Not in release	Not in release	Not in release	Not in release
ruby-rails-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activesupport-3.2	Not in release	Not in release	Not in release	Not in release

CVE-2018-16477

Medium priority

Not affected

A bypass vulnerability in Active Storage >= 5.2.0 for Google Cloud Storage and Disk services allow an attacker to modify the `content-disposition` and `content-type` parameters which can be used in with HTML files and have them...

7 affected packages

rails-4.0, ruby-activemodel-3.2, rails, ruby-actionpack-3.2, ruby-activerecord-3.2...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
rails-4.0	—	—	—	Not in release
ruby-activemodel-3.2	—	—	—	Not in release
rails	—	—	—	Not affected
ruby-actionpack-3.2	—	—	—	Not in release
ruby-activerecord-3.2	—	—	—	Not in release
ruby-activesupport-3.2	—	—	—	Not in release
ruby-rails-3.2	—	—	—	Not in release

CVE-2018-16476

Medium priority

Vulnerable

A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not...

7 affected packages

rails, ruby-rails-3.2, ruby-actionpack-3.2, ruby-activerecord-3.2, ruby-activesupport-3.2...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
rails	Not affected	Vulnerable	Vulnerable	Vulnerable
ruby-rails-3.2	Not in release	Not in release	Not in release	Not in release
ruby-actionpack-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activerecord-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activesupport-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activemodel-3.2	Not in release	Not in release	Not in release	Not in release
rails-4.0	Not in release	Not in release	Not in release	Not in release

CVE-2018-3779

High priority

Ignored

active-support ruby gem 5.2.0 could allow a remote attacker to execute arbitrary code on the system, caused by containing a malicious backdoor. An attacker could exploit this vulnerability to execute arbitrary code on the system.

7 affected packages

rails, rails-4.0, ruby-actionpack-3.2, ruby-activemodel-3.2, ruby-activerecord-3.2...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
rails	—	—	—	Not affected
rails-4.0	—	—	—	Not in release
ruby-actionpack-3.2	—	—	—	Not in release
ruby-activemodel-3.2	—	—	—	Not in release
ruby-activerecord-3.2	—	—	—	Not in release
ruby-activesupport-3.2	—	—	—	Not in release
ruby-rails-3.2	—	—	—	Not in release

CVE-2016-10522

Medium priority

Vulnerable

rails_admin ruby gem <v1.1.1 is vulnerable to cross-site request forgery (CSRF) attacks. Non-GET methods were not validating CSRF tokens and, as a result, an attacker could hypothetically gain access to the...

1 affected package

ruby-rails-admin

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
ruby-rails-admin	Not in release	Not in release	Not in release	Vulnerable

CVE-2018-3741

Medium priority

Vulnerable

There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and...

1 affected package

ruby-rails-html-sanitizer

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
ruby-rails-html-sanitizer	Not affected	Not affected	Not affected	Not affected

CVE-2017-12098

Medium priority

Vulnerable

An exploitable cross site scripting (XSS) vulnerability exists in the add filter functionality of the rails_admin rails gem version 1.2.0. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to...

1 affected package

ruby-rails-admin

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
ruby-rails-admin	Not in release	Not in release	Not in release	Vulnerable

CVE-2017-17920

Low priority

Ignored

SQL injection vulnerability in the 'reorder' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes this issue because...

7 affected packages

rails, ruby-actionpack-3.2, ruby-rails-3.2, rails-4.0, ruby-activemodel-3.2...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
rails	Not affected	Not affected	Not affected	Not affected
ruby-actionpack-3.2	Not in release	Not in release	Not in release	Not in release
ruby-rails-3.2	Not in release	Not in release	Not in release	Not in release
rails-4.0	Not in release	Not in release	Not in release	Not in release
ruby-activemodel-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activerecord-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activesupport-3.2	Not in release	Not in release	Not in release	Not in release

CVE-2017-17919

Low priority

Ignored

SQL injection vulnerability in the 'order' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id desc' parameter. NOTE: The vendor disputes this issue because...

7 affected packages

rails, rails-4.0, ruby-actionpack-3.2, ruby-activemodel-3.2, ruby-activerecord-3.2...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
rails	Not affected	Not affected	Not affected	Not affected
rails-4.0	Not in release	Not in release	Not in release	Not in release
ruby-actionpack-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activemodel-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activerecord-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activesupport-3.2	Not in release	Not in release	Not in release	Not in release
ruby-rails-3.2	Not in release	Not in release	Not in release	Not in release

Export to JSON

Results by page: