CVE-2012-3464 (Medium) detected in activesupport-3.0.9.gem

Question

CVE-2012-3464 (Medium) detected in activesupport-3.0.9.gem

mend-bolt-for-github opened this issue 3 years ago · comments

mend-bolt-for-github commented 3 years ago

CVE-2012-3464 - Medium Severity Vulnerability

Vulnerable Library - activesupport-3.0.9.gem

A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.

Library home page: https://rubygems.org/gems/activesupport-3.0.9.gem

Dependency Hierarchy:

rails-3.0.9.gem (Root Library)
- ❌ activesupport-3.0.9.gem (Vulnerable Library)

Found in HEAD commit: 0c785fd9400921392b8ee5e3e166f30364359ecc

Found in base branch: master

Vulnerability Details

Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character.

Publish Date: 2012-08-10

URL: CVE-2012-3464

CVSS 3 Score Details (5.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: N/A
- Attack Complexity: N/A
- Privileges Required: N/A
- User Interaction: N/A
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-3464

Release Date: 2012-08-10

Fix Resolution: 3.0.17,3.1.8,3.2.8

Step up your Open Source Security Game with WhiteSource here