High severityNVD Advisory· Published May 12, 2020· Updated Aug 4, 2024

CVE-2020-8151

Description

There is a possible information disclosure issue in Active Resource <v5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Active Resource < v5.1.1 uses insufficiently encoded ID parameters in URL paths, enabling specially crafted requests to leak information.

Vulnerability

Overview

CVE-2020-8151 is an information disclosure vulnerability in Active Resource prior to version 5.1.1. The root cause lies in the element_path method, which constructs URLs for REST resources using URI.parser.escape to encode ID parameter values [1][3]. This encoding routine does not properly handle certain characters, such as ? or ../, allowing an attacker to inject unexpected path components or query strings into the generated URL.

Exploitation and

Attack Surface

An attacker can exploit this by providing a crafted ID value to an Active Resource client—for example, by sending a request that includes a ? or ../ in the resource identifier. Because URI.parser.escape fails to encode these characters in a way that prevents URL structure manipulation, the generated request may be sent to an unintended endpoint on the remote API [3]. The fix introduced in commit 0de18f7 replaces the encoding method with URI.encode_www_form_component, which correctly encodes such characters [3]. No authentication is required to trigger this issue; any attacker who can influence the ID parameter used in a find or similar operation can attempt exploitation.

Impact

Successful exploitation could allow an attacker to access data or API resources outside the intended scope. For instance, by injecting ../ an attacker might cause the client to request a parent collection or another resource, potentially leaking information that was not meant to be exposed [3]. The vulnerability is rated as medium severity (CVSS v2 score 5.0) [2].

Mitigation

Status

Users should upgrade to Active Resource version 5.1.1 or later, which includes the corrected encoding logic [1][2][3]. There is no workaround other than applying the patch. No evidence of active exploitation in the wild or inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog was found in the provided references.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
activeresourceRubyGems	>= 3.0.0.rc, < 5.1.1	5.1.1

Affected products

203

Active Resource/Active Resourcedescription
ghsa-coords202 versions
pkg:gem/activeresource pkg:rpm/suse/ansible1&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ansible1&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ansible&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ansible&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/ansible&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ansible&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/ardana-ansible&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-ansible&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-cluster&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-cluster&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-freezer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-freezer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-input-model&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-input-model&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-logging&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-logging&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-mq&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-mq&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-neutron&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-neutron&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-octavia&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-octavia&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-osconfig&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-osconfig&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/caasp-openstack-heat-templates&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/caasp-openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/caasp-openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/crowbar-core&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/crowbar-core&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/crowbar-ha&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/documentation-hpe-helion-openstack-installation&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-hpe-helion-openstack-operations&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-hpe-helion-openstack-opsconsole&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-hpe-helion-openstack-planning&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-hpe-helion-openstack-security&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-hpe-helion-openstack-user&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-suse-openstack-cloud-deployment&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/documentation-suse-openstack-cloud-installation&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-operations&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-opsconsole&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-planning&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-security&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-supplement&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-supplement&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-admin&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-admin&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-user&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-user&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/documentation-suse-openstack-cloud-user&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/grafana&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/keepalived&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/kibana&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/kibana&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/kibana&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/kibana&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/memcached&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/monasca-installer&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-dashboard&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-dashboard&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-dashboard&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-dashboard-theme-HPE&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-dashboard-theme-SUSE&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-heat-templates&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-keystone&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-keystone&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-keystone&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-keystone-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-keystone-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-keystone-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-manila&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-manila-doc&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-monasca-agent&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-monasca-agent&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-monasca-agent&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-monasca-installer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-monasca-installer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-monasca-installer&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-neutron-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-neutron-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron-fwaas&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-neutron-fwaas-doc&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-nova-doc&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-octavia-amphora-image&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-octavia-amphora-image&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-octavia-amphora-image&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-tempest&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-amqp&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-amqp&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-amqp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-apicapi&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-apicapi&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-apicapi&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-Django&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-Flask&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-Flask&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-Flask&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-GitPython&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-GitPython&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-keystoneauth1&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-keystoneauth1&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-keystoneauth1&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-oslo.messaging&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-oslo.messaging&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-oslo.messaging&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-Pillow&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-psql2mysql&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-psutil&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-psutil&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-psutil&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-psutil&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-py&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-pyroute2&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-pyroute2&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-pyroute2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-pysaml2&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-pysaml2&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-pysaml2&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-pysaml2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-tooz&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-tooz&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-tooz&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-waitress&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-waitress&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-waitress&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-waitress&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/rabbitmq-server&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/release-notes-suse-openstack-cloud&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/rubygem-activeresource&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/rubygem-activeresource&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/rubygem-crowbar-client&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/rubygem-crowbar-client&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/rubygem-json-1_7&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/rubygem-json-1_7&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/rubygem-puma&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/rubygem-puma&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/storm&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/storm&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/storm&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/venv-openstack-aodh&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-aodh&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-barbican&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-barbican&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-ceilometer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-ceilometer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-cinder&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-cinder&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-designate&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-designate&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-freezer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-freezer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-glance&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-glance&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-heat&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-heat&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-horizon&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-horizon-hpe&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-ironic&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-ironic&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-keystone&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-keystone&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-magnum&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-magnum&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-manila&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-manila&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-monasca&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-monasca&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-murano&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-murano&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-neutron&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-neutron&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-nova&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-nova&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-octavia&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-octavia&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-sahara&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-sahara&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-swift&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-swift&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-trove&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-trove&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/zookeeper&distro=SUSE%20OpenStack%20Cloud%207
>= 3.0.0.rc, < 5.1.1+ 201 more
- (no CPE)range: >= 3.0.0.rc, < 5.1.1
- (no CPE)range: < 1.9.6-7.3.1
- (no CPE)range: < 1.9.6-7.3.1
- (no CPE)range: < 2.4.6.0-3.9.1
- (no CPE)range: < 2.2.3.0-12.2
- (no CPE)range: < 2.4.6.0-3.9.1
- (no CPE)range: < 2.4.6.0-3.9.1
- (no CPE)range: < 8.0+git.1589740980.6c3bcdc-3.73.1
- (no CPE)range: < 8.0+git.1589740980.6c3bcdc-3.73.1
- (no CPE)range: < 8.0+git.1585685203.3e71e49-3.36.1
- (no CPE)range: < 8.0+git.1585685203.3e71e49-3.36.1
- (no CPE)range: < 8.0+git.1586539529.b7d295f-3.21.1
- (no CPE)range: < 8.0+git.1586539529.b7d295f-3.21.1
- (no CPE)range: < 8.0+git.1589740934.0e0ad61-3.39.1
- (no CPE)range: < 8.0+git.1589740934.0e0ad61-3.39.1
- (no CPE)range: < 8.0+git.1591194866.b7375d0-3.24.1
- (no CPE)range: < 8.0+git.1591194866.b7375d0-3.24.1
- (no CPE)range: < 8.0+git.1589715269.62ad6df-3.22.1
- (no CPE)range: < 8.0+git.1589715269.62ad6df-3.22.1
- (no CPE)range: < 8.0+git.1590756744.ba84abc-3.42.1
- (no CPE)range: < 8.0+git.1590756744.ba84abc-3.42.1
- (no CPE)range: < 8.0+git.1590100427.cf4cc8f-3.29.1
- (no CPE)range: < 8.0+git.1590100427.cf4cc8f-3.29.1
- (no CPE)range: < 8.0+git.1587034587.eac37b8-3.45.1
- (no CPE)range: < 8.0+git.1587034587.eac37b8-3.45.1
- (no CPE)range: < 1.0+git.1560518045.ad7dc6d-4.18.1
- (no CPE)range: < 1.0+git.1560518045.ad7dc6d-4.18.1
- (no CPE)range: < 1.0+git.1560518045.ad7dc6d-4.18.1
- (no CPE)range: < 4.0+git.1580209654.1d112d31f-9.66.5
- (no CPE)range: < 5.0+git.1593156248.55bbdb26d-3.41.2
- (no CPE)range: < 4.0+git.1585316203.d6ad2c8-4.52.4
- (no CPE)range: < 4.0+git.1589804581.9972163f0-9.71.4
- (no CPE)range: < 5.0+git.1593085772.64c4ab43c-4.40.2
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 4.6.5-4.9.1
- (no CPE)range: < 4.6.5-1.14.1
- (no CPE)range: < 4.6.5-4.9.1
- (no CPE)range: < 4.6.5-4.9.1
- (no CPE)range: < 2.0.19-1.8.1
- (no CPE)range: < 4.6.3-3.3.1
- (no CPE)range: < 4.6.3-5.1
- (no CPE)range: < 4.6.3-3.3.1
- (no CPE)range: < 4.6.3-3.3.1
- (no CPE)range: < 1.5.17-3.6.1
- (no CPE)range: < 20180608_12.47-12.1
- (no CPE)range: < 12.0.5~dev3-3.26.1
- (no CPE)range: < 12.0.5~dev3-3.26.1
- (no CPE)range: < 12.0.5~dev3-3.26.1
- (no CPE)range: < 8+git.1523473653.6599ec8-3.3.1
- (no CPE)range: < 2016.2-5.12.4
- (no CPE)range: < 0.0.0+git.1582270132.8a20477-3.15.1
- (no CPE)range: < 0.0.0+git.1582270132.8a20477-3.15.1
- (no CPE)range: < 0.0.0+git.1582270132.8a20477-3.15.1
- (no CPE)range: < 12.0.4~dev11-5.33.2
- (no CPE)range: < 12.0.4~dev11-5.33.2
- (no CPE)range: < 12.0.4~dev11-5.33.2
- (no CPE)range: < 12.0.4~dev11-5.33.2
- (no CPE)range: < 12.0.4~dev11-5.33.2
- (no CPE)range: < 12.0.4~dev11-5.33.2
- (no CPE)range: < 3.0.1~dev30-4.12.2
- (no CPE)range: < 3.0.1~dev30-4.12.3
- (no CPE)range: < 2.2.6~dev4-3.18.1
- (no CPE)range: < 2.2.6~dev4-3.18.1
- (no CPE)range: < 2.2.6~dev4-3.18.1
- (no CPE)range: < 20190923_16.32-3.12.1
- (no CPE)range: < 20190923_16.32-3.12.1
- (no CPE)range: < 20190923_16.32-3.12.1
- (no CPE)range: < 11.0.9~dev65-3.33.2
- (no CPE)range: < 11.0.9~dev65-3.33.2
- (no CPE)range: < 11.0.9~dev65-3.33.2
- (no CPE)range: < 11.0.9~dev65-3.33.2
- (no CPE)range: < 11.0.9~dev65-3.33.2
- (no CPE)range: < 11.0.9~dev65-3.33.2
- (no CPE)range: < 9.0.2~dev5-4.9.3
- (no CPE)range: < 9.0.2~dev5-4.9.4
- (no CPE)range: < 14.0.11~dev13-4.40.2
- (no CPE)range: < 14.0.11~dev13-4.40.2
- (no CPE)range: < 0.1.4-3.12.2
- (no CPE)range: < 0.1.4-3.12.2
- (no CPE)range: < 0.1.4-3.12.2
- (no CPE)range: < 12.2.1~a0~dev177-4.9.1
- (no CPE)range: < 2.4.2-3.12.1
- (no CPE)range: < 2.4.2-3.12.1
- (no CPE)range: < 2.4.2-3.12.1
- (no CPE)range: < 1.6.0-3.6.1
- (no CPE)range: < 1.6.0-3.6.1
- (no CPE)range: < 1.6.0-3.6.1
- (no CPE)range: < 1.11.23-3.15.1
- (no CPE)range: < 1.8.19-3.23.1
- (no CPE)range: < 1.11.23-3.15.1
- (no CPE)range: < 1.11.23-3.15.1
- (no CPE)range: < 0.12.1-3.3.1
- (no CPE)range: < 0.12.1-3.3.1
- (no CPE)range: < 0.12.1-3.3.1
- (no CPE)range: < 2.1.8-3.3.1
- (no CPE)range: < 2.1.8-3.3.1
- (no CPE)range: < 3.1.2~dev2-3.3.1
- (no CPE)range: < 3.1.2~dev2-3.3.1
- (no CPE)range: < 3.1.2~dev2-3.3.1
- (no CPE)range: < 5.30.8-3.11.1
- (no CPE)range: < 5.30.8-3.11.1
- (no CPE)range: < 5.30.8-3.11.1
- (no CPE)range: < 4.2.1-3.5.1
- (no CPE)range: < 2.8.1-4.12.1
- (no CPE)range: < 4.2.1-3.5.1
- (no CPE)range: < 4.2.1-3.5.1
- (no CPE)range: < 0.5.0+git.1589351878.4ef877c-1.12.1
- (no CPE)range: < 5.2.2-3.3.1
- (no CPE)range: < 1.2.1-21.1
- (no CPE)range: < 5.2.2-3.3.1
- (no CPE)range: < 5.2.2-3.3.1
- (no CPE)range: < 1.8.1-11.12.1
- (no CPE)range: < 0.4.21-3.3.1
- (no CPE)range: < 0.4.21-3.3.1
- (no CPE)range: < 0.4.21-3.3.1
- (no CPE)range: < 4.0.2-5.6.1
- (no CPE)range: < 4.0.2-3.17.1
- (no CPE)range: < 4.0.2-5.6.1
- (no CPE)range: < 4.0.2-5.6.1
- (no CPE)range: < 1.58.1-3.3.1
- (no CPE)range: < 1.58.1-3.3.1
- (no CPE)range: < 1.58.1-3.3.1
- (no CPE)range: < 1.4.3-3.3.1
- (no CPE)range: < 1.4.3-3.3.1
- (no CPE)range: < 1.4.3-3.3.1
- (no CPE)range: < 1.4.3-3.3.1
- (no CPE)range: < 3.4.4-3.16.1
- (no CPE)range: < 7.20180803-3.18.3
- (no CPE)range: < 4.0.0-3.3.1
- (no CPE)range: < 4.0.0-3.3.1
- (no CPE)range: < 3.9.2-7.20.1
- (no CPE)range: < 3.9.2-3.12.1
- (no CPE)range: < 1.7.7-3.3.1
- (no CPE)range: < 1.7.7-3.3.1
- (no CPE)range: < 2.16.0-4.6.1
- (no CPE)range: < 2.16.0-3.9.1
- (no CPE)range: < 1.1.3-3.3.1
- (no CPE)range: < 1.1.3-3.3.1
- (no CPE)range: < 1.1.3-3.3.1
- (no CPE)range: < 5.1.1~dev7-12.26.2
- (no CPE)range: < 5.1.1~dev7-12.26.2
- (no CPE)range: < 5.0.2~dev3-12.27.2
- (no CPE)range: < 5.0.2~dev3-12.27.2
- (no CPE)range: < 9.0.8~dev7-12.24.2
- (no CPE)range: < 9.0.8~dev7-12.24.2
- (no CPE)range: < 11.2.3~dev23-14.27.2
- (no CPE)range: < 11.2.3~dev23-14.27.2
- (no CPE)range: < 5.0.3~dev7-12.25.2
- (no CPE)range: < 5.0.3~dev7-12.25.2
- (no CPE)range: < 5.0.0.0~xrc2~dev2-10.22.1
- (no CPE)range: < 5.0.0.0~xrc2~dev2-10.22.1
- (no CPE)range: < 15.0.3~dev3-12.25.1
- (no CPE)range: < 15.0.3~dev3-12.25.1
- (no CPE)range: < 9.0.8~dev22-12.27.1
- (no CPE)range: < 9.0.8~dev22-12.27.1
- (no CPE)range: < 12.0.5~dev3-14.30.1
- (no CPE)range: < 12.0.5~dev3-14.30.1
- (no CPE)range: < 9.1.8~dev8-12.27.2
- (no CPE)range: < 9.1.8~dev8-12.27.2
- (no CPE)range: < 12.0.4~dev11-11.28.2
- (no CPE)range: < 12.0.4~dev11-11.28.2
- (no CPE)range: < 5.0.2_5.0.2_5.0.2~dev31-11.26.2
- (no CPE)range: < 5.0.2_5.0.2_5.0.2~dev31-11.26.2
- (no CPE)range: < 5.1.1~dev5-12.31.2
- (no CPE)range: < 5.1.1~dev5-12.31.2
- (no CPE)range: < 1.5.1_1.5.1_1.5.1~dev3-8.22.2
- (no CPE)range: < 1.5.1_1.5.1_1.5.1~dev3-8.22.2
- (no CPE)range: < 2.2.2~dev1-11.22.3
- (no CPE)range: < 2.2.2~dev1-11.22.3
- (no CPE)range: < 4.0.2~dev2-12.22.1
- (no CPE)range: < 4.0.2~dev2-12.22.1
- (no CPE)range: < 11.0.9~dev65-13.30.2
- (no CPE)range: < 11.0.9~dev65-13.30.2
- (no CPE)range: < 16.1.9~dev61-11.28.2
- (no CPE)range: < 16.1.9~dev61-11.28.2
- (no CPE)range: < 1.0.6~dev3-12.27.2
- (no CPE)range: < 1.0.6~dev3-12.27.2
- (no CPE)range: < 7.0.5~dev4-11.26.2
- (no CPE)range: < 7.0.5~dev4-11.26.2
- (no CPE)range: < 2.15.2_2.15.2_2.15.2~dev32-11.18.1
- (no CPE)range: < 2.15.2_2.15.2_2.15.2~dev32-11.18.1
- (no CPE)range: < 8.0.2~dev2-11.26.1
- (no CPE)range: < 8.0.2~dev2-11.26.1
- (no CPE)range: < 3.4.10-6.1

Patches

0de18f7e96fa

Properly encode ID parameters to avoid possible information leak

https://github.com/rails/activeresourceAaron PattersonMay 5, 2020via ghsa

commit

3 files changed · +18 −2

lib/active_resource/base.rb+1 −1 modified

@@ -772,7 +772,7 @@ def element_path(id, prefix_options = {}, query_options = nil)
         check_prefix_options(prefix_options)
 
         prefix_options, query_options = split_options(prefix_options) if query_options.nil?
-        "#{prefix(prefix_options)}#{collection_name}/#{URI.parser.escape id.to_s}#{format_extension}#{query_string(query_options)}"
+        "#{prefix(prefix_options)}#{collection_name}/#{URI.encode_www_form_component(id.to_s)}#{format_extension}#{query_string(query_options)}"
       end
 
       # Gets the element url for the given ID in +id+. If the +query_options+ parameter is omitted, Rails

test/cases/base_test.rb+1 −1 modified

@@ -688,7 +688,7 @@ def test_custom_element_path
     assert_equal "/people/1/addresses/1.json", StreetAddress.element_path(1, person_id: 1)
     assert_equal "/people/1/addresses/1.json", StreetAddress.element_path(1, "person_id" => 1)
     assert_equal "/people/Greg/addresses/1.json", StreetAddress.element_path(1, "person_id" => "Greg")
-    assert_equal "/people/ann%20mary/addresses/ann%20mary.json", StreetAddress.element_path(:'ann mary', "person_id" => "ann mary")
+    assert_equal "/people/ann%20mary/addresses/ann+mary.json", StreetAddress.element_path(:'ann mary', "person_id" => "ann mary")
   end
 
   def test_custom_element_path_without_required_prefix_param

test/cases/finder_test.rb+16 −0 modified

@@ -172,4 +172,20 @@ def test_find_single_by_symbol_from
     david = Person.find(:one, from: :leader)
     assert_equal "David", david.name
   end
+
+  def test_find_identifier_encoding
+    ActiveResource::HttpMock.respond_to { |m| m.get "/people/%3F.json", {}, @david }
+
+    david = Person.find("?")
+
+    assert_equal "David", david.name
+  end
+
+  def test_find_identifier_encoding_for_path_traversal
+    ActiveResource::HttpMock.respond_to { |m| m.get "/people/..%2F.json", {}, @david }
+
+    david = Person.find("../")
+
+    assert_equal "David", david.name
+  end
 end

0e969bdaf8ff

fix escaping id and parameters in path [#5137 state:resolved]

https://github.com/rails/railsJosef ReidingerJul 22, 2010via ghsa

commit

2 files changed · +3 −2

activeresource/lib/active_resource/base.rb+2 −2 modified

@@ -577,7 +577,7 @@ def prefix_source
       # Default value is <tt>site.path</tt>.
       def prefix=(value = '/')
         # Replace :placeholders with '#{embedded options[:lookups]}'
-        prefix_call = value.gsub(/:\w+/) { |key| "\#{options[#{key}]}" }
+        prefix_call = value.gsub(/:\w+/) { |key| "\#{URI.escape options[#{key}].to_s}" }
 
         # Clear prefix parameters in case they have been cached
         @prefix_parameters = nil
@@ -622,7 +622,7 @@ def prefix(options={}) "#{prefix_call}" end
       #
       def element_path(id, prefix_options = {}, query_options = nil)
         prefix_options, query_options = split_options(prefix_options) if query_options.nil?
-        "#{prefix(prefix_options)}#{collection_name}/#{id}.#{format.extension}#{query_string(query_options)}"
+        "#{prefix(prefix_options)}#{collection_name}/#{URI.escape id.to_s}.#{format.extension}#{query_string(query_options)}"
       end
 
       # Gets the new element path for REST resources.

activeresource/test/cases/base_test.rb+1 −0 modified

@@ -563,6 +563,7 @@ def test_custom_element_path
     assert_equal '/people/1/addresses/1.xml', StreetAddress.element_path(1, :person_id => 1)
     assert_equal '/people/1/addresses/1.xml', StreetAddress.element_path(1, 'person_id' => 1)
     assert_equal '/people/Greg/addresses/1.xml', StreetAddress.element_path(1, 'person_id' => 'Greg')
+    assert_equal '/people/ann%20mary/addresses/ann%20mary.xml', StreetAddress.element_path(:'ann mary', 'person_id' => 'ann mary')
   end
 
   def test_module_element_path

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-46j2-xjgp-jrfmghsaADVISORY
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P7B7A4H22DZ522HLDS3JX3NX2CXIOZSR/mitrevendor-advisoryx_refsource_FEDORA
nvd.nist.gov/vuln/detail/CVE-2020-8151ghsaADVISORY
github.com/rails/activeresource/commit/0de18f7e96fa90bbf23b16ac11980bc2cb6a716eghsaWEB
github.com/rails/rails/commit/0e969bdaf8ff2e3384350687aa0b583f94d6dfbcghsaWEB
groups.google.com/forum/ghsaWEB
groups.google.com/forum/mitrex_refsource_MISC
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P7B7A4H22DZ522HLDS3JX3NX2CXIOZSRghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000