CVE-2015-3225
rack Critical
Denial of Service
Discovered over 5 years ago
Published over 5 years ago
Category: Denial of Service
Severity: Critical

Carefully crafted requests can cause a SystemStackError and potentially cause a denial of service attack.

All users running an affected release should upgrade.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 1.6.2 ~> 1.5.4 ~> 1.4.6

Unaffected Versions

n/a

References

n/a

CVE-2016-4658
nokogiri Critical
Command Injection
Discovered over 3 years ago
Published over 3 years ago
Category: Command Injection
Source: GitHub
Severity: Critical

Nokogiri version 1.7.1 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVEs:

CVE-2016-4658 CVSS v3 Base Score: 9.8 (Critical) libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.

CVE-2016-5131 CVSS v3 Base Score: 8.8 (HIGH) Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 1.7.1

Unaffected Versions

n/a

References

n/a

CVE-2014-3514
rails Critical
Attribute Restriction
Discovered over 5 years ago
Published about 6 years ago
Category: Attribute Restriction
Source: NIST NVD
Severity: Critical

The create_with functionality in Active Record was implemented incorrectly and completely bypasses the strong parameters protection. Applications which pass user-controlled values to create_with could allow attackers to set arbitrary attributes on models.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None Partial Partial Partial
Patched Versions

~> 4.0.9 >= 4.1.5

Unaffected Versions

< 4.0.0

CVE-2018-3760
sprockets Critical
Information Disclosure
Discovered over 2 years ago
Published over 2 years ago
Category: Information Disclosure
Severity: Critical

Specially crafted requests can be used to access files that exist on the filesystem that is outside an application’s root directory, when the Sprockets server is used in production.

All users running an affected release should either upgrade or use one of the work arounds immediately.

Workaround: In Rails applications, work around this issue, set config.assets.compile = false and config.public_file_server.enabled = true in an initializer and precompile the assets.

This work around will not be possible in all hosting environments and upgrading is advised.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 2.12.5 < 3.0.0 >= 3.7.2 < 4.0.0 >= 4.0.0.beta8

Unaffected Versions

n/a

References

n/a

CVE-2016-6316
rails Critical
Cross-Site Scripting
Discovered about 4 years ago
Published about 4 years ago
Category: Cross-Site Scripting
Source: NIST NVD
Severity: Moderate

There is a possible XSS vulnerability in Action View. Text declared as “HTML safe” will not have quotes escaped when used as attribute values in tag helpers.

Impact

Text declared as “HTML safe” when passed as an attribute value to a tag helper will not have quotes escaped which can lead to an XSS attack. Impacted code looks something like this:

content_tag(:div, "hi", title: user_input.html_safe)

Some helpers like the sanitize helper will automatically mark strings as “HTML safe”, so impacted code could also look something like this:

content_tag(:div, "hi", title: sanitize(user_input))

All users running an affected release should either upgrade or use one of the workarounds immediately.

Workarounds

You can work around this issue by either not marking arbitrary user input as safe, or by manually escaping quotes like this:

def escape_quotes(value)
  value.gsub(/"/, '&quot;'.freeze)
end

content_tag(:div, "hi", title: escape_quotes(sanitize(user_input)))
CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None None Partial None
Patched Versions

~> 4.2.7.1 ~> 4.2.8 >= 5.0.0.1

Unaffected Versions

< 3.0.0

CVE-2017-5946
rubyzip Critical
Attribute Restriction
Discovered over 3 years ago
Published over 3 years ago
Category: Attribute Restriction
Source: NIST NVD
Severity: Critical

The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a directory traversal vulnerability. If a site allows uploading of .zip files, an attacker can upload a malicious file that uses “../” pathname substrings to write arbitrary files to the filesystem.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None Partial Partial Partial
Patched Versions

>= 1.2.1

Unaffected Versions

n/a

CVE-2019-5418
actionview Critical
File Access
Discovered over 1 year ago
Published over 1 year ago
Category: File Access
Severity: Critical

There is a possible file content disclosure vulnerability in Action View. This vulnerability has been assigned the CVE identifier CVE-2019-5418.

Versions Affected: All. Not affected: None. Fixed Versions: 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1

Impact

There is a possible file content disclosure vulnerability in Action View. Specially crafted accept headers in combination with calls to render file: can cause arbitrary files on the target server to be rendered, disclosing the file contents.

The impact is limited to calls to render which render file contents without a specified accept format. Impacted code in a controller looks something like this:

class UserController < ApplicationController
  def index
    render file: "#{Rails.root}/some/file"
  end
end

Rendering templates as opposed to files is not impacted by this vulnerability.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are available at the normal locations.

Workarounds

This vulnerability can be mitigated by specifying a format for file rendering, like this:

class UserController < ApplicationController
  def index
    render file: "#{Rails.root}/some/file", formats: [:html]
  end
end

In summary, impacted calls to render look like this:

render file: "#{Rails.root}/some/file"

The vulnerability can be mitigated by changing to this:

render file: "#{Rails.root}/some/file", formats: [:html]

Other calls to render are not impacted.

Alternatively, the following monkey patch can be applied in an initializer:

$ cat config/initializers/formats_filter.rb
# frozen_string_literal: true

ActionDispatch::Request.prepend(Module.new do
  def formats
    super().select do |format|
      format.symbol || format.ref == "*/*"
    end
  end
end)

Credits

Thanks to John Hawthorn john@hawthorn.email of GitHub

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

~> 4.2.11 >= 4.2.11.1 ~> 5.0.7 >= 5.0.7.2 ~> 5.1.6 >= 5.1.6.2 ~> 5.2.2 >= 5.2.2.1 >= 6.0.0.beta3

Unaffected Versions

n/a

References

n/a

CVE-2016-2098
rails Critical
Attribute Restriction
Discovered over 4 years ago
Published over 4 years ago
Category: Attribute Restriction
Source: NIST NVD
Severity: Critical

There is a possible remote code execution vulnerability in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2016-2098.

Impact

Applications that pass unverified user input to the render method in a controller or a view may be vulnerable to a code injection.

Impacted code will look like this:

class TestController < ApplicationController
  def show
    render params[:id]
  end
end

An attacker could use the request parameters to coerce the above example to execute arbitrary ruby code.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

A workaround to this issue is to not pass arbitrary user input to the render method. Instead, verify that data before passing it to the render method.

For example, change this:

def index
  render params[:id]
end

To this:

def index
  render verify_template(params[:id])
end

private
def verify_template(name)
  # add verification logic particular to your application here
end

Patches

To aid users who aren’t able to upgrade immediately we have provided a patch for it. It is in git-am format and consist of a single changeset.

  • 3-2-secure_inline_with_params.patch - Patch for 3.2 series
  • 4-1-secure_inline_with_params.patch - Patch for 4.1 series
  • 4-2-secure_inline_with_params.patch - Patch for 4.2 series

Credits

Thanks to both Tobias Kraze from makandra and joernchen of Phenoelit for reporting this!

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None Partial Partial Partial
Patched Versions

~> 3.2.22.2 ~> 4.2.5 >= 4.2.5.2 ~> 4.1.14 >= 4.1.14.2

Unaffected Versions

>= 5.0.0.beta1

CVE-2017-0889
paperclip Critical
Other
Discovered almost 3 years ago
Published almost 3 years ago
Category: Other
Source: NIST NVD
Severity: Critical

Paperclip gem provides multiple ways a file can be uploaded to a web server. The vulnerability affects two of Paperclip’s IO adapters that accept URLs as attachment data (UriAdapter and HttpUrlProxyAdapter). When these adapters are used, Paperclip acts as a proxy and downloads the file from the website URI that is passed in. The library does not perform any validation to protect against Server Side Request Forgery (SSRF) exploits by default. This may allow a remote attacker to access information about internal network resources.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None Partial Partial Partial
Patched Versions

>= 5.2.0

Unaffected Versions

n/a

CVE-2014-3483 / OSVDB-108665
rails Critical
SQL Injection
Discovered over 5 years ago
Published over 6 years ago
Category: SQL Injection
Source: NIST NVD
Severity: Critical

Ruby on Rails contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the PostgreSQL adapter for Active Record not properly sanitizing user-supplied input when quoting ranges. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None Partial Partial Partial
Patched Versions

~> 4.0.7 >= 4.1.3

Unaffected Versions

< 4.0.0

CVE-2017-9050
nokogiri Critical
Denial of Service
Discovered about 3 years ago
Published about 3 years ago
Category: Denial of Service
Source: GitHub
Severity: Critical

The version of libxml2 packaged with Nokogiri contains several vulnerabilities. Nokogiri has mitigated these issues by upgrading to libxml 2.9.5.

It was discovered that a type confusion error existed in libxml2. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-0663)

It was discovered that libxml2 did not properly validate parsed entity references. An attacker could use this to specially construct XML data that could expose sensitive information. (CVE-2017-7375)

It was discovered that a buffer overflow existed in libxml2 when handling HTTP redirects. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-7376)

Marcel Böhme and Van-Thuan Pham discovered a buffer overflow in libxml2 when handling elements. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-9047)

Marcel Böhme and Van-Thuan Pham discovered a buffer overread in libxml2 when handling elements. An attacker could use this to specially construct XML data that could cause a denial of service. (CVE-2017-9048)

Marcel Böhme and Van-Thuan Pham discovered multiple buffer overreads in libxml2 when handling parameter-entity references. An attacker could use these to specially construct XML data that could cause a denial of service. (CVE-2017-9049, CVE-2017-9050)

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 1.8.1

Unaffected Versions

n/a

References

n/a

CVE-2018-16471
rack Severe
Cross-Site Scripting
Discovered almost 2 years ago
Published almost 2 years ago
Category: Cross-Site Scripting
Severity: Severe

There is a possible vulnerability in Rack. This vulnerability has been assigned the CVE identifier CVE-2018-16471.

Versions Affected: All. Not affected: None. Fixed Versions: 2.0.6, 1.6.11

Impact

There is a possible XSS vulnerability in Rack. Carefully crafted requests can impact the data returned by the scheme method on Rack::Request. Applications that expect the scheme to be limited to “http” or “https” and do not escape the return value could be vulnerable to an XSS attack.

Vulnerable code looks something like this:

<%= request.scheme.html_safe %>

Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The 2.0.6 and 1.6.11 releases are available at the normal locations.

Workarounds

The following monkey patch can be applied to work around this issue:

require "rack"
require "rack/request"

class Rack::Request
SCHEME_WHITELIST = %w(https http).freeze

def scheme
  if get_header(Rack::HTTPS) == 'on'
    'https'
  elsif get_header(HTTP_X_FORWARDED_SSL) == 'on'
    'https'
  elsif forwarded_scheme
    forwarded_scheme
  else
    get_header(Rack::RACK_URL_SCHEME)
  end
end

def forwarded_scheme
  scheme_headers = [
    get_header(HTTP_X_FORWARDED_SCHEME),
    get_header(HTTP_X_FORWARDED_PROTO).to_s.split(',')[0]
  ]

  scheme_headers.each do |header|
    return header if SCHEME_WHITELIST.include?(header)
  end

  nil
end
end
CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

~> 1.6.11 >= 2.0.6

Unaffected Versions

n/a

References

n/a

CVE-2019-11068
nokogiri Severe
Information Disclosure
Discovered over 1 year ago
Published over 1 year ago
Category: Information Disclosure
Source: GitHub
Severity: Severe

Nokogiri v1.10.3 has been released.

This is a security release. It addresses a CVE in upstream libxslt rated as “Priority: medium” by Canonical, and “NVD Severity: high” by Debian. More details are available below.

If you’re using your distro’s system libraries, rather than Nokogiri’s vendored libraries, there’s no security need to upgrade at this time, though you may want to check with your distro whether they’ve patched this (Canonical has patched Ubuntu packages). Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.

Full details about the security update are available in Github Issue [#1892] https://github.com/sparklemotion/nokogiri/issues/1892.


CVE-2019-11068

Permalinks are: - Canonical: https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11068 - Debian: https://security-tracker.debian.org/tracker/CVE-2019-11068

Description:

libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.

Canonical rates this as “Priority: Medium”.

Debian rates this as “NVD Severity: High (attack range: remote)”.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 1.10.3

Unaffected Versions

n/a

References

n/a

CVE-2019-5419
actionview Severe
Denial of Service
Discovered over 1 year ago
Published over 1 year ago
Category: Denial of Service
Severity: Severe

There is a potential denial of service vulnerability in actionview. This vulnerability has been assigned the CVE identifier CVE-2019-5419.

Impact

Specially crafted accept headers can cause the Action View template location code to consume 100% CPU, causing the server unable to process requests. This impacts all Rails applications that render views.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Workarounds

This vulnerability can be mitigated by wrapping render calls with respond_to blocks. For example, the following example is vulnerable:

class UserController < ApplicationController
  def index
    render "index"
  end
end

But the following code is not vulnerable:

class UserController < ApplicationController
  def index
    respond_to |format|
      format.html { render "index" }
    end
  end
end

Implicit rendering is impacted, so this code is vulnerable:

class UserController < ApplicationController
  def index
  end
end

But can be changed this this:

class UserController < ApplicationController
  def index
    respond_to |format|
      format.html { render "index" }
    end
  end
end

Alternatively to specifying the format, the following monkey patch can be applied in an initializer:

$ cat config/initializers/formats_filter.rb
# frozen_string_literal: true

ActionDispatch::Request.prepend(Module.new do
  def formats
    super().select do |format|
      format.symbol || format.ref == "*/*"
    end
  end
end)

Credits

Thanks to John Hawthorn john@hawthorn.email of GitHub

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 6.0.0.beta3 ~> 5.2.2 >= 5.2.2.1 ~> 5.1.6 >= 5.1.6.2 ~> 5.0.7 >= 5.0.7.2 ~> 4.2.11 >= 4.2.11.1

Unaffected Versions

n/a

References

n/a

CVE-2018-14404
nokogiri Severe
Denial of Service
Discovered almost 2 years ago
Published about 2 years ago
Category: Denial of Service
Source: GitHub
Severity: Severe

A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application

Canonical rates this vulnerability as “Priority: Medium”

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 1.8.5

Unaffected Versions

n/a

References

n/a

CVE-2015-8806
nokogiri Severe
Code Injection
Discovered over 4 years ago
Published over 4 years ago
Category: Code Injection
Source: GitHub
Severity: Severe

Nokogiri is affected by series of vulnerabilities in libxml2 and libxslt, which are libraries Nokogiri depends on. It was discovered that libxml2 and libxslt incorrectly handled certain malformed documents, which can allow malicious users to cause issues ranging from denial of service to remote code execution attacks.

For more information, the Ubuntu Security Notice is a good start: http://www.ubuntu.com/usn/usn-2994-1/

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 1.6.8

Unaffected Versions

< 1.6.0

References

n/a

CVE-2014-10077
i18n Severe
Denial of Service
Discovered almost 2 years ago
Published about 6 years ago
Category: Denial of Service
Source: GitHub
Severity: Severe

i18n Gem for Ruby contains a flaw in the Hash#slice() function in lib/i18n/core_ext/hash.rb that is triggered when calling a hash when :some_key is in keep_keys but not in the hash. This may allow an attacker to cause the program to crash.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 0.8.0

Unaffected Versions

n/a

References

n/a

CVE-2014-7829
rails Severe
File Access
Discovered over 5 years ago
Published almost 6 years ago
Category: File Access
Source: NIST NVD
Severity: Severe

Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application’s root directory. The files will not be served, but attackers can determine whether or not the file exists. This vulnerability is very similar to CVE-2014-7818, but the specially crafted string is slightly different.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None Partial None None
Patched Versions

~> 3.2.21 ~> 4.0.11.1 ~> 4.0.12 ~> 4.1.7.1 >= 4.1.8

Unaffected Versions

< 3.0.0

CVE-2016-0751
rails Severe
Attribute Restriction
Discovered over 4 years ago
Published over 4 years ago
Category: Attribute Restriction
Source: NIST NVD
Severity: Severe

There is a possible object leak which can lead to a denial of service vulnerability in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2016-0751.

Versions Affected: All. Not affected: None. Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1

Impact

A carefully crafted accept header can cause a global cache of mime types to grow indefinitely which can lead to a possible denial of service attack in Action Pack.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

This attack can be mitigated by a proxy that only allows known mime types in the Accept header.

Placing the following code in an initializer will also mitigate the issue:

require 'action_dispatch/http/mime_type' 

Mime.const_set :LOOKUP, Hash.new { |h,k| 
  Mime::Type.new(k) unless k.blank? 
} 

Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

  • 5-0-mime_types_leak.patch - Patch for 5.0 series
  • 4-2-mime_types_leak.patch - Patch for 4.2 series
  • 4-1-mime_types_leak.patch - Patch for 4.1 series
  • 3-2-mime_types_leak.patch - Patch for 3.2 series

Please note that only the 4.1.x and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits

Aaron Patterson <3<3

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None None None Partial
Patched Versions

>= 5.0.0.beta1.1 ~> 4.2.5 >= 4.2.5.1 ~> 4.1.14 >= 4.1.14.1 ~> 3.2.22.1

Unaffected Versions

n/a

CVE-2016-0752
rails Severe
Attribute Restriction
Discovered over 4 years ago
Published over 4 years ago
Category: Attribute Restriction
Source: NIST NVD
Severity: Severe

There is a possible directory traversal and information leak vulnerability in Action View. This vulnerability has been assigned the CVE identifier CVE-2016-0752.

Versions Affected: All. Not affected: None. Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1

Impact

Applications that pass unverified user input to the render method in a controller may be vulnerable to an information leak vulnerability.

Impacted code will look something like this:

def index 
  render params[:id] 
end 

Carefully crafted requests can cause the above code to render files from unexpected places like outside the application’s view directory, and can possibly escalate this to a remote code execution attack.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

A workaround to this issue is to not pass arbitrary user input to the render method. Instead, verify that data before passing it to the render method.

For example, change this:

def index 
  render params[:id] 
end 

To this:

def index 
  render verify_template(params[:id]) 
end 

private 
def verify_template(name) 
  # add verification logic particular to your application here 
end 

Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

  • 3-2-render_data_leak.patch - Patch for 3.2 series
  • 4-1-render_data_leak.patch - Patch for 4.1 series
  • 4-2-render_data_leak.patch - Patch for 4.2 series
  • 5-0-render_data_leak.patch - Patch for 5.0 series

Please note that only the 4.1.x and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits

Thanks John Poulin for reporting this!

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None Partial None None
Patched Versions

>= 5.0.0.beta1.1 ~> 4.2.5 >= 4.2.5.1 ~> 4.1.14 >= 4.1.14.1

Unaffected Versions

>= 4.1.0

CVE-2015-7581
rails Severe
Attribute Restriction
Discovered over 4 years ago
Published over 4 years ago
Category: Attribute Restriction
Source: NIST NVD
Severity: Severe

There is an object leak vulnerability for wildcard controllers in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2015-7581.

Versions Affected: >= 4.0.0 and < 5.0.0.beta1 Not affected: < 4.0.0, 5.0.0.beta1 and newer Fixed Versions: 4.2.5.1, 4.1.14.1

Impact

Users that have a route that contains the string “:controller” are susceptible to objects being leaked globally which can lead to unbounded memory growth. To identify if your application is vulnerable, look for routes that contain “:controller”.

Internally, Action Pack keeps a map of “url controller name” to “controller class name”. This map is cached globally, and is populated even if the controller class doesn’t actually exist.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

  • 4-1-wildcard_route.patch - Patch for 4.1 series
  • 4-2-wildcard_route.patch - Patch for 4.2 series

Please note that only the 4.1.x and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None None None Partial
Patched Versions

~> 4.2.5 >= 4.2.5.1 ~> 4.1.14 >= 4.1.14.1

Unaffected Versions

< 4.0.0 >= 5.0.0.beta1

CVE-2016-0753
rails Severe
Attribute Restriction
Discovered over 4 years ago
Published over 4 years ago
Category: Attribute Restriction
Source: NIST NVD
Severity: Severe

There is a possible input validation circumvention vulnerability in Active Model. This vulnerability has been assigned the CVE identifier CVE-2016-0753.

Impact

Code that uses Active Model based models (including Active Record models) and does not validate user input before passing it to the model can be subject to an attack where specially crafted input will cause the model to skip validations.

Vulnerable code will look something like this:

SomeModel.new(unverified_user_input) 

Rails users using Strong Parameters are generally not impacted by this issue as they are encouraged to whitelist parameters and must specifically opt-out of input verification using the permit! method to allow mass assignment.

For example, a vulnerable Rails application will have code that looks like this:

def create 
  params.permit! # allow all parameters 
  @user = User.new params[:users] 
end 

Active Model and Active Record objects are not equipped to handle arbitrary user input. It is up to the application to verify input before passing it to Active Model models. Rails users already have Strong Parameters in place to handle white listing, but applications using Active Model and Active Record outside of a Rails environment may be impacted.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

There are several workarounds depending on the application. Inside a Rails application, stop using permit!. Outside a Rails application, either use Hash#slice to select the parameters you need, or integrate Strong Parameters with your application.

Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

  • 4-1-validation_skip.patch - Patch for 4.1 series
  • 4-2-validation_skip.patch - Patch for 4.2 series
  • 5-0-validation_skip.patch - Patch for 5.0 series

Please note that only the 4.1.x and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits

Thanks to:

John Backus from BlockScore for reporting this!

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None None Partial None
Patched Versions

>= 5.0.0.beta1.1 ~> 4.2.5 >= 4.2.5.1 ~> 4.1.14 >= 4.1.14.1

Unaffected Versions

<= 4.0.13

CVE-2015-7577
rails Severe
Attribute Restriction
Discovered over 4 years ago
Published over 4 years ago
Category: Attribute Restriction
Source: NIST NVD
Severity: Severe

There is a vulnerability in how the nested attributes feature in Active Record handles updates in combination with destroy flags when destroying records is disabled. This vulnerability has been assigned the CVE identifier CVE-2015-7577.

Versions Affected: 3.1.0 and newer Not affected: 3.0.x and older Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1

Impact

When using the nested attributes feature in Active Record you can prevent the destruction of associated records by passing the allow_destroy: false option to the accepts_nested_attributes_for method. However due to a change in the commit a9b4b5d the _destroy flag prevents the :reject_if proc from being called because it assumes that the record will be destroyed anyway.

However this isn’t true if :allow_destroy is false so this leads to changes that would have been rejected being applied to the record. Attackers could use this do things like set attributes to invalid values and to clear all of the attributes amongst other things. The severity will be dependent on how the application has used this feature.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

If you can’t upgrade, please use the following monkey patch in an initializer that is loaded before your application:

$ cat config/initializers/nested_attributes_bypass_fix.rb 
module ActiveRecord 
  module NestedAttributes 
    private 

    def reject_new_record?(association_name, attributes) 
      will_be_destroyed?(association_name, attributes) || call_reject_if(association_name, attributes) 
    end 

    def call_reject_if(association_name, attributes) 
      return false if will_be_destroyed?(association_name, attributes) 

      case callback = self.nested_attributes_options[association_name][:reject_if] 
      when Symbol 
        method(callback).arity == 0 ? send(callback) : send(callback, attributes) 
      when Proc 
        callback.call(attributes) 
      end 
    end 

    def will_be_destroyed?(association_name, attributes) 
      allow_destroy?(association_name) && has_destroy_flag?(attributes) 
    end 

    def allow_destroy?(association_name) 
      self.nested_attributes_options[association_name][:allow_destroy] 
    end 
  end 
end 

Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

  • 3-2-nested-attributes-reject-if-bypass.patch - Patch for 3.2 series
  • 4-1-nested-attributes-reject-if-bypass.patch - Patch for 4.1 series
  • 4-2-nested-attributes-reject-if-bypass.patch - Patch for 4.2 series
  • 5-0-nested-attributes-reject-if-bypass.patch - Patch for 5.0 series

Please note that only the 4.1.x and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits

Thank you to Justin Coyne for reporting the problem and working with us to fix it.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None None Partial None
Patched Versions

>= 5.0.0.beta1.1 ~> 4.2.5 >= 4.2.5.1 ~> 4.1.14 >= 4.1.14.1 ~> 3.2.22.1

Unaffected Versions

~> 3.0.0 < 3.0.0

CVE-2016-2097
rails Severe
Attribute Restriction
Discovered over 4 years ago
Published over 4 years ago
Category: Attribute Restriction
Source: NIST NVD
Severity: Severe

There is a possible directory traversal and information leak vulnerability in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2 patch was not covering all the scenarios. This vulnerability has been assigned the CVE identifier CVE-2016-2097.

Versions Affected: 3.2.x, 4.0.x, 4.1.x Not affected: 4.2+ Fixed Versions: 3.2.22.2, 4.1.14.2

Impact

Applications that pass unverified user input to the render method in a controller may be vulnerable to an information leak vulnerability.

Impacted code will look something like this:

def index
  render params[:id]
end

Carefully crafted requests can cause the above code to render files from unexpected places like outside the application’s view directory, and can possibly escalate this to a remote code execution attack.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

A workaround to this issue is to not pass arbitrary user input to the render method. Instead, verify that data before passing it to the render method.

For example, change this:

def index
  render params[:id]
end

To this:

def index
  render verify_template(params[:id])
end

private
def verify_template(name)
  # add verification logic particular to your application here
end

Patches

To aid users who aren’t able to upgrade immediately we have provided patches for it. It is in git-am format and consist of a single changeset.

  • 3-2-render_data_leak_2.patch - Patch for 3.2 series
  • 4-1-render_data_leak_2.patch - Patch for 4.1 series

Credits

Thanks to both Jyoti Singh and Tobias Kraze from makandra for reporting this and working with us in the patch!

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None Partial None None
Patched Versions

~> 4.1.14 >= 4.1.14.2

Unaffected Versions

>= 4.2.0

Gemfile
code Severe
Mass Assignment
Discovered over 5 years ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Medium

Problem

create_with is vulnerable to strong params bypass. Upgrade to Rails 4.1.5 or patch

Location

Gemfile


Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in Gemfile or mark it as false positive.

CVE-2015-2963
paperclip Moderate
Attribute Restriction
Discovered over 5 years ago
Published over 5 years ago
Category: Attribute Restriction
Source: NIST NVD
Severity: Moderate

There is an issue where if an HTML file is uploaded with a .html extension, but the content type is listed as being image/jpeg, this will bypass a validation checking for images. But it will also pass the spoof check, because a file named .html and containing actual HTML passes the spoof check.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None None Partial None
Patched Versions

>= 4.2.2

Unaffected Versions

n/a

CVE-2015-7576
rails Moderate
Attribute Restriction
Discovered over 4 years ago
Published over 4 years ago
Category: Attribute Restriction
Source: NIST NVD
Severity: Moderate

There is a timing attack vulnerability in the basic authentication support in Action Controller. This vulnerability has been assigned the CVE identifier CVE-2015-7576.

Versions Affected: All. Not affected: None. Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1

Impact

Due to the way that Action Controller compares user names and passwords in basic authentication authorization code, it is possible for an attacker to analyze the time taken by a response and intuit the password.

For example, this string comparison:

“foo” == “bar”

is possibly faster than this comparison:

“foo” == “fo1”

Attackers can use this information to attempt to guess the username and password used in the basic authentication system.

You can tell you application is vulnerable to this attack by looking for http_basic_authenticate_with method calls in your application.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

If you can’t upgrade, please use the following monkey patch in an initializer that is loaded before your application:

$ cat config/initializers/basic_auth_fix.rb 
module ActiveSupport 
  module SecurityUtils 
    def secure_compare(a, b) 
      return false unless a.bytesize == b.bytesize 

      l = a.unpack "C#{a.bytesize}" 

      res = 0 
      b.each_byte { |byte| res |= byte ^ l.shift } 
      res == 0 
    end 
    module_function :secure_compare 

    def variable_size_secure_compare(a, b) 
      secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b)) 
    end 
    module_function :variable_size_secure_compare 
  end 
end 

module ActionController 
  class Base 
    def self.http_basic_authenticate_with(options = {}) 
      before_action(options.except(:name, :password, :realm)) do 
        authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password| 
          # This comparison uses & so that it doesn't short circuit and 
          # uses `variable_size_secure_compare` so that length information 
          # isn't leaked. 
          ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) & 
            ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password]) 
        end 
      end 
    end 
  end 
end 

Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

  • 4-1-basic_auth.patch - Patch for 4.1 series
  • 4-2-basic_auth.patch - Patch for 4.2 series
  • 5-0-basic_auth.patch - Patch for 5.0 series

Please note that only the 4.1.x and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits

Thank you to Daniel Waterworth for reporting the problem and working with us to fix it.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None Partial None None
Patched Versions

>= 5.0.0.beta1.1 ~> 4.2.5 >= 4.2.5.1 ~> 4.1.14 >= 4.1.14.1 ~> 3.2.22.1

Unaffected Versions

n/a

CVE-2014-7818
rails Moderate
File Access
Discovered over 5 years ago
Published almost 6 years ago
Category: File Access
Source: NIST NVD
Severity: Moderate

Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application’s root directory. The files will not be served, but attackers can determine whether or not the file exists.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None Partial None None
Patched Versions

~> 3.2.20 ~> 4.0.11 ~> 4.1.7 >= 4.2.0.beta3

Unaffected Versions

< 3.0.0

CVE-2014-0130
rails Moderate
Attribute Restriction
Discovered over 5 years ago
Published over 6 years ago
Category: Attribute Restriction
Source: NIST NVD
Severity: Moderate

There is a vulnerability in the ‘implicit render’ functionality in Ruby on Rails.The implicit render functionality allows controllers to render a template, even if there is no explicit action with the corresponding name. This module does not perform adequate input sanitization which could allow an attacker to use a specially crafted request to retrieve arbitrary files from the rails application server.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None Partial None None
Patched Versions

~> 3.2.18 ~> 4.0.5 >= 4.1.1

Unaffected Versions

n/a

CVE-2017-5029
nokogiri Moderate
Buffer Errors
Discovered over 3 years ago
Published over 3 years ago
Category: Buffer Errors
Source: GitHub
Severity: Moderate

nokogiri version 1.7.2 has been released.

This is a security update based on 1.7.1, addressing two upstream libxslt 1.1.29 vulnerabilities classified as “Medium” by Canonical and given a CVSS3 score of “6.5 Medium” and “8.8 High” by RedHat.

These patches only apply when using Nokogiri’s vendored libxslt package. If you’re using your distro’s system libraries, there’s no need to upgrade from 1.7.0.1 or 1.7.1 at this time.

Full details are available at the github issue linked to in the changelog below.


1.7.2 / 2017-05-09

Security Notes

[MRI] Upstream libxslt patches are applied to the vendored libxslt 1.1.29 which address CVE-2017-5029 and CVE-2016-4738.

For more information:

  • https://github.com/sparklemotion/nokogiri/issues/1634
  • http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5029.html
  • http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4738.html
CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 1.7.2

Unaffected Versions

n/a

References

n/a