User: Password:
Subscribe / Log in / New account

rubygem-actionpack: multiple vulnerabilities

Package(s):rubygem-actionpack CVE #(s):CVE-2013-4491 CVE-2013-6414 CVE-2013-6417
Created:December 18, 2013 Updated:December 18, 2013
Description: From the CVE entries:

Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem. (CVE-2013-4491)

actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a denial of service (memory consumption) via a header containing an invalid MIME type that leads to excessive caching. (CVE-2013-6414)

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155. (CVE-2013-6417)

Debian DSA-2888-1 ruby-actionpack-3.2 2014-03-27
Fedora FEDORA-2013-23636 rubygem-actionpack 2014-03-07
Red Hat RHSA-2014:0008-01 ruby193-rubygem-actionpack 2014-01-06
openSUSE openSUSE-SU-2014:0009-1 rubygem-actionpack-3_2 2014-01-03
openSUSE openSUSE-SU-2013:1907-1 rubygem-actionpack-3_2 2013-12-18
openSUSE openSUSE-SU-2013:1906-1 rubygem-actionpack-3_2 2013-12-18
openSUSE openSUSE-SU-2013:1904-1 rubygem-actionpack-3_2 2013-12-18

(Log in to post comments)

Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds