High severity7.3NVD Advisory· Published Apr 7, 2016· Updated Jun 17, 2026
CVE-2016-2098
CVE-2016-2098
Description
Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
actionpackRubyGems | >= 3.0.0, < 3.2.22.2 | 3.2.22.2 |
actionpackRubyGems | >= 4.0.0, < 4.1.14.2 | 4.1.14.2 |
actionpackRubyGems | >= 4.2.0, < 4.2.5.2 | 4.2.5.2 |
Affected products
122cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*+ 69 more
- cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*range: <=3.2.22.1
- cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.14.1:*:*:*:*:*:*:*
- ghsa-coords49 versionspkg:gem/actionpackpkg:rpm/opensuse/rubygem-actionview-4_2&distro=openSUSE%20Tumbleweedpkg:rpm/suse/portus&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012pkg:rpm/suse/rubygem-actionmailer-4_2&distro=SUSE%20Enterprise%20Storage%203pkg:rpm/suse/rubygem-actionmailer-4_2&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/rubygem-actionmailer-4_2&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/rubygem-actionmailer-4_2&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/rubygem-actionpack-3_2&distro=SUSE%20Lifecycle%20Management%20Server%201.3pkg:rpm/suse/rubygem-actionpack-3_2&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/rubygem-actionpack-3_2&distro=SUSE%20Studio%20Onsite%201.3pkg:rpm/suse/rubygem-actionpack-3_2&distro=SUSE%20WebYast%201.3pkg:rpm/suse/rubygem-actionpack-4_2&distro=SUSE%20Enterprise%20Storage%203pkg:rpm/suse/rubygem-actionpack-4_2&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/rubygem-actionpack-4_2&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/rubygem-actionpack-4_2&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/rubygem-actionview-4_1&distro=SUSE%20OpenStack%20Cloud%205pkg:rpm/suse/rubygem-actionview-4_2&distro=SUSE%20Enterprise%20Storage%202.1pkg:rpm/suse/rubygem-actionview-4_2&distro=SUSE%20Enterprise%20Storage%203pkg:rpm/suse/rubygem-actionview-4_2&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/rubygem-actionview-4_2&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/rubygem-actionview-4_2&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/rubygem-activejob-4_2&distro=SUSE%20Enterprise%20Storage%203pkg:rpm/suse/rubygem-activejob-4_2&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/rubygem-activejob-4_2&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/rubygem-activejob-4_2&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/rubygem-activemodel-4_2&distro=SUSE%20Enterprise%20Storage%203pkg:rpm/suse/rubygem-activemodel-4_2&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/rubygem-activemodel-4_2&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/rubygem-activemodel-4_2&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/rubygem-activerecord-4_2&distro=SUSE%20Enterprise%20Storage%203pkg:rpm/suse/rubygem-activerecord-4_2&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/rubygem-activerecord-4_2&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/rubygem-activerecord-4_2&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/rubygem-activesupport-4_2&distro=SUSE%20Enterprise%20Storage%203pkg:rpm/suse/rubygem-activesupport-4_2&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/rubygem-activesupport-4_2&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/rubygem-activesupport-4_2&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/rubygem-rails-4_2&distro=SUSE%20Enterprise%20Storage%203pkg:rpm/suse/rubygem-rails-4_2&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/rubygem-rails-4_2&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/rubygem-rails-4_2&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20Enterprise%20Storage%203pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/rubygem-railties-4_2&distro=SUSE%20Enterprise%20Storage%203pkg:rpm/suse/rubygem-railties-4_2&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/rubygem-railties-4_2&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/rubygem-railties-4_2&distro=SUSE%20OpenStack%20Cloud%207
>= 3.0.0, < 3.2.22.2+ 48 more
- (no CPE)range: >= 3.0.0, < 3.2.22.2
- (no CPE)range: < 5.0.0.1-1.1
- (no CPE)range: < 2.0.3-2.4
- (no CPE)range: < 4.2.9-3.3.1
- (no CPE)range: < 4.2.9-3.3.1
- (no CPE)range: < 4.2.9-3.3.1
- (no CPE)range: < 4.2.9-3.3.1
- (no CPE)range: < 3.2.12-0.26.1
- (no CPE)range: < 3.2.12-0.26.1
- (no CPE)range: < 3.2.12-0.26.1
- (no CPE)range: < 3.2.12-0.26.1
- (no CPE)range: < 4.2.9-7.3.1
- (no CPE)range: < 4.2.9-7.3.1
- (no CPE)range: < 4.2.9-7.3.1
- (no CPE)range: < 4.2.9-7.3.1
- (no CPE)range: < 4.1.9-12.1
- (no CPE)range: < 4.2.2-8.1
- (no CPE)range: < 4.2.9-9.3.1
- (no CPE)range: < 4.2.9-9.3.1
- (no CPE)range: < 4.2.2-8.1
- (no CPE)range: < 4.2.9-9.3.1
- (no CPE)range: < 4.2.9-3.3.1
- (no CPE)range: < 4.2.9-3.3.1
- (no CPE)range: < 4.2.9-3.3.1
- (no CPE)range: < 4.2.9-3.3.1
- (no CPE)range: < 4.2.9-6.3.1
- (no CPE)range: < 4.2.9-6.3.1
- (no CPE)range: < 4.2.9-6.3.1
- (no CPE)range: < 4.2.9-6.3.1
- (no CPE)range: < 4.2.9-6.3.1
- (no CPE)range: < 4.2.9-6.3.1
- (no CPE)range: < 4.2.9-6.3.1
- (no CPE)range: < 4.2.9-6.3.1
- (no CPE)range: < 4.2.9-7.3.1
- (no CPE)range: < 4.2.9-7.3.1
- (no CPE)range: < 4.2.9-7.3.1
- (no CPE)range: < 4.2.9-7.3.1
- (no CPE)range: < 4.2.9-3.3.1
- (no CPE)range: < 4.2.9-3.3.1
- (no CPE)range: < 4.2.9-3.3.1
- (no CPE)range: < 4.2.9-3.3.1
- (no CPE)range: < 1.0.3-8.3.1
- (no CPE)range: < 1.0.3-8.3.1
- (no CPE)range: < 1.0.3-8.3.1
- (no CPE)range: < 1.0.3-8.3.1
- (no CPE)range: < 4.2.9-3.3.1
- (no CPE)range: < 4.2.9-3.3.1
- (no CPE)range: < 4.2.9-3.3.1
- (no CPE)range: < 4.2.9-3.3.1
Patches
Vulnerability mechanics
References
21- weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/nvdPatchVendor Advisory
- github.com/advisories/GHSA-78rc-8c29-p45gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-2098ghsaADVISORY
- lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.htmlnvdWEB
- lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.htmlnvdWEB
- lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.htmlnvdWEB
- lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.htmlnvdWEB
- lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.htmlnvdWEB
- lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.htmlnvdWEB
- weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-releasedghsaWEB
- www.debian.org/security/2016/dsa-3509nvdWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-2098.ymlghsaWEB
- groups.google.com/forum/ghsaWEB
- web.archive.org/web/20200228015318/http://www.securityfocus.com/bid/83725ghsaWEB
- web.archive.org/web/20210612214217/https://groups.google.com/forum/message/rawghsaWEB
- web.archive.org/web/20211205173437/https://securitytracker.com/id/1035122ghsaWEB
- www.exploit-db.com/exploits/40086ghsaWEB
- www.securityfocus.com/bid/83725nvd
- www.securitytracker.com/id/1035122nvd
- groups.google.com/forum/message/rawnvd
- www.exploit-db.com/exploits/40086/nvd
News mentions
0No linked articles in our index yet.