CVE-2015-8314
devise Critical
Authentication
Discovered over 1 year ago
Published over 5 years ago
Category: Authentication
Severity: Critical

Devise version before 3.5.4 uses cookies to implement a “Remember me” functionality. However, it generates the same cookie for all devices. If an attacker manages to steal a remember me cookie and the user does not change the password frequently, the cookie can be used to gain access to the application indefinitely.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 3.5.4

Unaffected Versions

n/a

References

n/a

CVE-2017-17917
rails Severe
SQL Injection
Discovered over 1 year ago
Published over 3 years ago
Category: SQL Injection
Source: NIST NVD
Severity: Severe

** DISPUTED ** SQL injection vulnerability in the ‘where’ method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the ‘id’ parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Medium None Partial Partial Partial
Patched Versions

n/a

Unaffected Versions

n/a

CVE-2017-17919
rails Severe
SQL Injection
Discovered over 1 year ago
Published over 3 years ago
Category: SQL Injection
Source: NIST NVD
Severity: Severe

** DISPUTED ** SQL injection vulnerability in the ‘order’ method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the ‘id desc’ parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Medium None Partial Partial Partial
Patched Versions

n/a

Unaffected Versions

n/a

CVE-2013-0233 / OSVDB-89642
devise Severe
Resource Management
Discovered over 1 year ago
Published about 8 years ago
Category: Resource Management
Source: NIST NVD
Severity: Severe

Devise contains a flaw that is triggered during when a type conversion error occurs during the parsing of a malformed request. With a specially crafted request, a remote attacker can bypass security restrictions.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None Partial Partial Partial
Patched Versions

~> 1.5.4 ~> 2.0.5 ~> 2.1.3 >= 2.2.3

Unaffected Versions

n/a

CVE-2017-17920
rails Severe
SQL Injection
Discovered over 1 year ago
Published over 3 years ago
Category: SQL Injection
Source: NIST NVD
Severity: Severe

** DISPUTED ** SQL injection vulnerability in the ‘reorder’ method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the ‘name’ parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Medium None Partial Partial Partial
Patched Versions

n/a

Unaffected Versions

n/a

CVE-2017-17916
rails Severe
SQL Injection
Discovered over 1 year ago
Published over 3 years ago
Category: SQL Injection
Source: NIST NVD
Severity: Severe

** DISPUTED ** SQL injection vulnerability in the ‘find_by’ method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the ‘name’ parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Medium None Partial Partial Partial
Patched Versions

n/a

Unaffected Versions

n/a

CVE-2018-16476
rails Severe
Information Disclosure
Discovered over 1 year ago
Published over 4 years ago
Category: Information Disclosure
Severity: Severe

There is a vulnerability in Active Job. This vulnerability has been assigned the CVE identifier CVE-2018-16476.

Versions Affected: >= 4.2.0 Not affected: < 4.2.0 Fixed Versions: 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1

Impact

Carefully crafted user input can cause Active Job to deserialize it using GlobalId and allow an attacker to have access to information that they should not have.

Vulnerable code will look something like this:

MyJob.perform_later(user_input)

All users running an affected release should either upgrade or use one of the workarounds immediately.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

~> 4.2.11 ~> 5.0.7.1 ~> 5.1.6.1 ~> 5.1.7 >= 5.2.1.1

Unaffected Versions

< 4.2.0

References

n/a

CVE-2015-1840
jquery-rails Severe
Cross-Site Request Forgery
Discovered over 1 year ago
Published almost 6 years ago
Category: Cross-Site Request Forgery
Severity: Severe

In the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the href or action to “ https://attacker.com” (note the leading space) that will be passed to JQuery, who will see this as a same origin request, and send the user’s CSRF token to the attacker domain.

To work around this problem, change code that allows users to control the href attribute of an anchor tag or the action attribute of a form tag to filter the user parameters.

For example, code like this:

link_to params

to code like this:

link_to filtered_params

def filtered_params # Filter just the parameters that you trust end

See also: - http://blog.honeybadger.io/understanding-the-rails-jquery-csrf-vulnerability-cve-2015-1840/

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 4.0.4 ~> 3.1.3

Unaffected Versions

n/a

References

n/a

OSVDB-114435
devise Severe
Cross-Site Request Forgery
Discovered over 1 year ago
Published almost 8 years ago
Category: Cross-Site Request Forgery
Severity: Severe

Devise contains a flaw that allows a remote, user-assisted attacker to conduct a CSRF token fixation attack. This issue is triggered as previous CSRF tokens are not properly invalidated when a new token is created. If an attacker has knowledge of said token, a specially crafted request can be made to it, allowing the attacker to conduct CSRF attacks.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

~> 2.2.5 >= 3.0.1

Unaffected Versions

n/a

References

n/a

CVE-2016-6316
rails Moderate
Cross-Site Scripting
Discovered over 1 year ago
Published almost 5 years ago
Category: Cross-Site Scripting
Source: NIST NVD
Severity: Moderate

There is a possible XSS vulnerability in Action View. Text declared as “HTML safe” will not have quotes escaped when used as attribute values in tag helpers.

Impact

Text declared as “HTML safe” when passed as an attribute value to a tag helper will not have quotes escaped which can lead to an XSS attack. Impacted code looks something like this:

content_tag(:div, "hi", title: user_input.html_safe)

Some helpers like the sanitize helper will automatically mark strings as “HTML safe”, so impacted code could also look something like this:

content_tag(:div, "hi", title: sanitize(user_input))

All users running an affected release should either upgrade or use one of the workarounds immediately.

Workarounds

You can work around this issue by either not marking arbitrary user input as safe, or by manually escaping quotes like this:

def escape_quotes(value)
  value.gsub(/"/, '&quot;'.freeze)
end

content_tag(:div, "hi", title: escape_quotes(sanitize(user_input)))
CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None None Partial None
Patched Versions

~> 4.2.7.1 ~> 4.2.8 >= 5.0.0.1

Unaffected Versions

< 3.0.0

CVE-2018-16477
rails Moderate
File Access
Discovered over 1 year ago
Published over 4 years ago
Category: File Access
Severity: Moderate

There is a vulnerability in Active Storage. This vulnerability has been assigned the CVE identifier CVE-2018-16477.

Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 5.2.1.1

Impact

Signed download URLs generated by ActiveStorage for Google Cloud Storage service and Disk service include content-disposition and content-type parameters that an attacker can modify. This can be used to upload specially crafted HTML files and have them served and executed inline. Combined with other techniques such as cookie bombing and specially crafted AppCache manifests, an attacker can gain access to private signed URLs within a specific storage path.

Vulnerable apps are those using either GCS or the Disk service in production. Other storage services such as S3 or Azure aren’t affected.

All users running an affected release should either upgrade or use one of the workarounds immediately. For those using GCS, it’s also recommended to run the following to update existing blobs:

ActiveStorage::Blob.find_each do |blob|
  blob.send :update_service_metadata
end
CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 5.2.1.1

Unaffected Versions

< 5.2.0

References

n/a

CVE-2019-5421
devise Moderate
Authentication
Discovered over 1 year ago
Published over 2 years ago
Category: Authentication
Source: GitHub
Severity: Critical

Devise ruby gem before 4.6.0 when the lockable module is used is vulnerable to a time-of-check time-of-use (TOCTOU) race condition due to increment_failed_attempts within the Devise::Models::Lockable class not being concurrency safe.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 4.6.0

Unaffected Versions

n/a

References

n/a