CVE-2017-0889
paperclip Critical
Other
Discovered almost 3 years ago
Published almost 3 years ago
Category: Other
Source: NIST NVD
Severity: Critical

Paperclip gem provides multiple ways a file can be uploaded to a web server. The vulnerability affects two of Paperclip’s IO adapters that accept URLs as attachment data (UriAdapter and HttpUrlProxyAdapter). When these adapters are used, Paperclip acts as a proxy and downloads the file from the website URI that is passed in. The library does not perform any validation to protect against Server Side Request Forgery (SSRF) exploits by default. This may allow a remote attacker to access information about internal network resources.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None Partial Partial Partial
Patched Versions

>= 5.2.0

Unaffected Versions

n/a

CVE-2015-7581
rails Severe
Attribute Restriction
Discovered almost 5 years ago
Published over 4 years ago
Category: Attribute Restriction
Source: NIST NVD
Severity: Severe

There is an object leak vulnerability for wildcard controllers in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2015-7581.

Versions Affected: >= 4.0.0 and < 5.0.0.beta1 Not affected: < 4.0.0, 5.0.0.beta1 and newer Fixed Versions: 4.2.5.1, 4.1.14.1

Impact

Users that have a route that contains the string “:controller” are susceptible to objects being leaked globally which can lead to unbounded memory growth. To identify if your application is vulnerable, look for routes that contain “:controller”.

Internally, Action Pack keeps a map of “url controller name” to “controller class name”. This map is cached globally, and is populated even if the controller class doesn’t actually exist.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

  • 4-1-wildcard_route.patch - Patch for 4.1 series
  • 4-2-wildcard_route.patch - Patch for 4.2 series

Please note that only the 4.1.x and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None None None Partial
Patched Versions

~> 4.2.5 >= 4.2.5.1 ~> 4.1.14 >= 4.1.14.1

Unaffected Versions

< 4.0.0 >= 5.0.0.beta1