CVE-2016-2098
HIGH7.3EPSS 83.3%actionpack allows remote code execution via application's unrestricted use of render method
發布日:2017/10/24修改日:2026/4/28
描述
Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.
受影響套件(2)
- Debian/railsfrom 0, < 2:4.2.5.2-1
- RubyGems/actionpack>= 3.0.0, < 3.2.22.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
參考連結(17)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2016-2098
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2016-2098
- PATCHhttps://github.com/rails/rails
- WEBhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html
- WEBhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html
- WEBhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html
- WEBhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html
- WEBhttp://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html
- WEBhttp://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
- WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-2098.yml
- WEBhttps://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q
- WEBhttps://web.archive.org/web/20200228015318/http://www.securityfocus.com/bid/83725
- WEBhttps://web.archive.org/web/20210612214217/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ
- WEBhttps://web.archive.org/web/20211205173437/https://securitytracker.com/id/1035122
- WEBhttps://www.exploit-db.com/exploits/40086
- WEBhttp://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released
- WEBhttp://www.debian.org/security/2016/dsa-3509