RubyGems package
activesupport
pkg:gem/activesupport
Vulnerabilities (17)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-33176 | — | >= 8.1.0.beta1, < 8.1.2.1 | 8.1.2.1 | Mar 23, 2026 | Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`), which `BigDecimal` expands | ||
| CVE-2026-33170 | — | >= 8.1.0.beta1, < 8.1.2.1 | 8.1.2.1 | Mar 23, 2026 | Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `SafeBuffer#%` does not propagate the `@html_unsafe` flag to the newly created buffer. If a `SafeBuffer` is mutated in pl | ||
| CVE-2026-33169 | — | >= 8.1.0.beta1, < 8.1.2.1 | 8.1.2.1 | Mar 23, 2026 | Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. `NumberToDelimitedConverter` uses a lookahead-based regular expression with `gsub!` to insert thousands delimiters. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the i | ||
| CVE-2023-38037 | Med | 5.5 | >= 5.2.0, < 6.1.7.5 | 6.1.7.5 | Jan 9, 2025 | ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file's permissions are defaulted to the user's current `umask` settings, meaning that it's possible for other users on the same system to read the contents of the temporary | |
| CVE-2023-28120 | Med | 5.3 | >= 7.0.0, < 7.0.4.3 | 7.0.4.3 | Jan 9, 2025 | There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input. | |
| CVE-2023-22796 | — | < 6.1.7.1 | 6.1.7.1 | Feb 9, 2023 | A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts | ||
| CVE-2020-8165 | — | >= 5.0.0, < 5.2.4.3 | 5.2.4.3 | Jun 19, 2020 | A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE. | ||
| CVE-2015-3227 | — | >= 4.0.0.beta1, < 4.1.11 | 4.1.11 | Jul 26, 2015 | The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth. | ||
| CVE-2015-3226 | — | >= 4.1.0, < 4.1.11 | 4.1.11 | Jul 26, 2015 | Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding. | ||
| CVE-2013-1856 | — | >= 3.0.0, < 3.1.12 | 3.1.12 | Mar 19, 2013 | The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows r | ||
| CVE-2013-0333 | — | >= 2.3.2, < 2.3.16 | 2.3.16 | Jan 30, 2013 | lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypas | ||
| CVE-2012-3464 | — | >= 3.0.0.beta, < 3.0.17 | 3.0.17 | Aug 10, 2012 | Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' ( | ||
| CVE-2012-1098 | — | >= 3.0.0, < 3.0.12 | 3.0.12 | Mar 13, 2012 | Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods. | ||
| CVE-2011-2932 | — | >= 2.0.0, < 2.3.13 | 2.3.13 | Aug 29, 2011 | Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode | ||
| CVE-2011-2197 | — | >= 2.0.0, < 2.3.12 | 2.3.12 | Jun 30, 2011 | The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an appl | ||
| CVE-2009-3086 | — | >= 2.1.0, < 2.2.3 | 2.2.3 | Sep 8, 2009 | A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts. | ||
| CVE-2009-3009 | — | >= 2.0.0, < 2.2.3 | 2.2.3 | Sep 8, 2009 | Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper. |
- CVE-2026-33176Mar 23, 2026affected >= 8.1.0.beta1, < 8.1.2.1fixed 8.1.2.1
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`), which `BigDecimal` expands
- CVE-2026-33170Mar 23, 2026affected >= 8.1.0.beta1, < 8.1.2.1fixed 8.1.2.1
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `SafeBuffer#%` does not propagate the `@html_unsafe` flag to the newly created buffer. If a `SafeBuffer` is mutated in pl
- CVE-2026-33169Mar 23, 2026affected >= 8.1.0.beta1, < 8.1.2.1fixed 8.1.2.1
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. `NumberToDelimitedConverter` uses a lookahead-based regular expression with `gsub!` to insert thousands delimiters. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the i
- affected >= 5.2.0, < 6.1.7.5fixed 6.1.7.5
ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file's permissions are defaulted to the user's current `umask` settings, meaning that it's possible for other users on the same system to read the contents of the temporary
- affected >= 7.0.0, < 7.0.4.3fixed 7.0.4.3
There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.
- CVE-2023-22796Feb 9, 2023affected < 6.1.7.1fixed 6.1.7.1
A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts
- CVE-2020-8165Jun 19, 2020affected >= 5.0.0, < 5.2.4.3fixed 5.2.4.3
A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.
- CVE-2015-3227Jul 26, 2015affected >= 4.0.0.beta1, < 4.1.11fixed 4.1.11
The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth.
- CVE-2015-3226Jul 26, 2015affected >= 4.1.0, < 4.1.11fixed 4.1.11
Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding.
- CVE-2013-1856Mar 19, 2013affected >= 3.0.0, < 3.1.12fixed 3.1.12
The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows r
- CVE-2013-0333Jan 30, 2013affected >= 2.3.2, < 2.3.16fixed 2.3.16
lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypas
- CVE-2012-3464Aug 10, 2012affected >= 3.0.0.beta, < 3.0.17fixed 3.0.17
Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (
- CVE-2012-1098Mar 13, 2012affected >= 3.0.0, < 3.0.12fixed 3.0.12
Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods.
- CVE-2011-2932Aug 29, 2011affected >= 2.0.0, < 2.3.13fixed 2.3.13
Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode
- CVE-2011-2197Jun 30, 2011affected >= 2.0.0, < 2.3.12fixed 2.3.12
The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an appl
- CVE-2009-3086Sep 8, 2009affected >= 2.1.0, < 2.2.3fixed 2.2.3
A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts.
- CVE-2009-3009Sep 8, 2009affected >= 2.0.0, < 2.2.3fixed 2.2.3
Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.