CVE-2016-2098 (High) detected in actionpack-3.0.9.gem, rails-3.0.9.gem
mend-bolt-for-github opened this issue · comments
CVE-2016-2098 - High Severity Vulnerability
Vulnerable Libraries - actionpack-3.0.9.gem, rails-3.0.9.gem
actionpack-3.0.9.gem
Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.
Library home page: https://rubygems.org/gems/actionpack-3.0.9.gem
Dependency Hierarchy:
- rails-3.0.9.gem (Root Library)
- railties-3.0.9.gem
- ❌ actionpack-3.0.9.gem (Vulnerable Library)
- railties-3.0.9.gem
rails-3.0.9.gem
Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.
Library home page: https://rubygems.org/gems/rails-3.0.9.gem
Dependency Hierarchy:
- ❌ rails-3.0.9.gem (Vulnerable Library)
Found in HEAD commit: 0c785fd9400921392b8ee5e3e166f30364359ecc
Found in base branch: master
Vulnerability Details
Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.
Publish Date: 2016-04-07
URL: CVE-2016-2098
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2098
Release Date: 2016-04-07
Fix Resolution: 3.2.22.2,4.1.14.2,4.2.5.2
Step up your Open Source Security Game with WhiteSource here