RubyGems package
actionpack
pkg:gem/actionpack
Vulnerabilities (63)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-22885 | — | >= 6.0.0, < 6.0.3.7 | 6.0.3.7 | May 27, 2021 | A possible information disclosure / unintended method execution vulnerability in Action Pack >= 2.0.0 when using the `redirect_to` or `polymorphic_url`helper with untrusted user input. | ||
| CVE-2021-22881 | — | >= 6.0.0, < 6.0.3.5 | 6.0.3.5 | Feb 11, 2021 | The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted `Host` headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users t | ||
| CVE-2020-8264 | — | >= 6.0.0, < 6.0.3.4 | 6.0.3.4 | Jan 6, 2021 | In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local applic | ||
| CVE-2020-8166 | Med | 4.3 | >= 5.0.0, < 5.2.4.3 | 5.2.4.3 | Jul 2, 2020 | A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token. | |
| CVE-2020-8185 | — | >= 6.0.0, < 6.0.3.2 | 6.0.3.2 | Jul 2, 2020 | A denial of service vulnerability exists in Rails <6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production. | ||
| CVE-2020-8164 | — | >= 5.0.0, < 5.2.4.3 | 5.2.4.3 | Jun 19, 2020 | A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters. | ||
| CVE-2016-2098 | Hig | 7.3 | >= 3.0.0, < 3.2.22.2 | 3.2.22.2 | Apr 7, 2016 | Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method. | |
| CVE-2016-2097 | Med | 5.3 | >= 3.0.0, < 3.2.22.2 | 3.2.22.2 | Apr 7, 2016 | Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this v | |
| CVE-2016-0752 | Hig | 7.5 | KEV | >= 4.0.0, < 4.1.14.1 | 4.1.14.1 | Feb 16, 2016 | Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render met |
| CVE-2016-0751 | Hig | 7.5 | >= 4.2.0, < 4.2.5.1 | 4.2.5.1 | Feb 16, 2016 | actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a de | |
| CVE-2015-7581 | Hig | 7.5 | >= 4.0.0, < 4.2.5.1 | 4.2.5.1 | Feb 16, 2016 | actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in Ruby on Rails 4.x before 4.2.5.1 and 5.x before 5.0.0.beta1.1 allows remote attackers to cause a denial of service (superfluous caching and memory consumption) by leveraging an application's use of a wildcard c | |
| CVE-2015-7576 | Low | 3.7 | >= 3.1.0, < 3.2.22.1 | 3.2.22.1 | Feb 16, 2016 | The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.b | |
| CVE-2014-7829 | — | >= 4.1.0, < 4.1.8 | 4.1.8 | Nov 18, 2014 | Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to deter | ||
| CVE-2014-7818 | — | >= 3.0.0, < 3.2.20 | 3.2.20 | Nov 8, 2014 | Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to deter | ||
| CVE-2014-0130 | Hig | 7.5 | KEV | >= 3.0.0, < 3.2.18 | 3.2.18 | May 7, 2014 | Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to rea |
| CVE-2014-0082 | — | >= 3.0.0, < 3.2.17 | 3.2.17 | Feb 20, 2014 | actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including th | ||
| CVE-2014-0081 | — | >= 3.0.0, < 3.2.17 | 3.2.17 | Feb 20, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negati | ||
| CVE-2013-6417 | — | >= 3.0.0, < 3.2.16 | 3.2.16 | Dec 7, 2013 | actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended databa | ||
| CVE-2013-6416 | — | >= 4.0.0, < 4.0.2 | 4.0.2 | Dec 7, 2013 | Cross-site scripting (XSS) vulnerability in the simple_format helper in actionpack/lib/action_view/helpers/text_helper.rb in Ruby on Rails 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML attribute. | ||
| CVE-2013-6415 | — | >= 3.0.0, < 3.2.16 | 3.2.16 | Dec 7, 2013 | Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter. |
- CVE-2021-22885May 27, 2021affected >= 6.0.0, < 6.0.3.7fixed 6.0.3.7
A possible information disclosure / unintended method execution vulnerability in Action Pack >= 2.0.0 when using the `redirect_to` or `polymorphic_url`helper with untrusted user input.
- CVE-2021-22881Feb 11, 2021affected >= 6.0.0, < 6.0.3.5fixed 6.0.3.5
The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted `Host` headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users t
- CVE-2020-8264Jan 6, 2021affected >= 6.0.0, < 6.0.3.4fixed 6.0.3.4
In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local applic
- affected >= 5.0.0, < 5.2.4.3fixed 5.2.4.3
A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token.
- CVE-2020-8185Jul 2, 2020affected >= 6.0.0, < 6.0.3.2fixed 6.0.3.2
A denial of service vulnerability exists in Rails <6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production.
- CVE-2020-8164Jun 19, 2020affected >= 5.0.0, < 5.2.4.3fixed 5.2.4.3
A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.
- affected >= 3.0.0, < 3.2.22.2fixed 3.2.22.2
Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.
- affected >= 3.0.0, < 3.2.22.2fixed 3.2.22.2
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this v
- affected >= 4.0.0, < 4.1.14.1fixed 4.1.14.1
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render met
- affected >= 4.2.0, < 4.2.5.1fixed 4.2.5.1
actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a de
- affected >= 4.0.0, < 4.2.5.1fixed 4.2.5.1
actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in Ruby on Rails 4.x before 4.2.5.1 and 5.x before 5.0.0.beta1.1 allows remote attackers to cause a denial of service (superfluous caching and memory consumption) by leveraging an application's use of a wildcard c
- affected >= 3.1.0, < 3.2.22.1fixed 3.2.22.1
The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.b
- CVE-2014-7829Nov 18, 2014affected >= 4.1.0, < 4.1.8fixed 4.1.8
Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to deter
- CVE-2014-7818Nov 8, 2014affected >= 3.0.0, < 3.2.20fixed 3.2.20
Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to deter
- affected >= 3.0.0, < 3.2.18fixed 3.2.18
Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to rea
- CVE-2014-0082Feb 20, 2014affected >= 3.0.0, < 3.2.17fixed 3.2.17
actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including th
- CVE-2014-0081Feb 20, 2014affected >= 3.0.0, < 3.2.17fixed 3.2.17
Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negati
- CVE-2013-6417Dec 7, 2013affected >= 3.0.0, < 3.2.16fixed 3.2.16
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended databa
- CVE-2013-6416Dec 7, 2013affected >= 4.0.0, < 4.0.2fixed 4.0.2
Cross-site scripting (XSS) vulnerability in the simple_format helper in actionpack/lib/action_view/helpers/text_helper.rb in Ruby on Rails 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML attribute.
- CVE-2013-6415Dec 7, 2013affected >= 3.0.0, < 3.2.16fixed 3.2.16
Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter.
Page 2 of 4