Search criteria Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.

1 vulnerability found for activesupport by Ruby on Rails

CERTFR-2026-AVI-0349

Vulnerability from certfr_avis - Published: 2026-03-24 - Updated: 2026-03-24

De multiples vulnérabilités ont été découvertes dans les produits Ruby on Rails. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à l'intégrité des données.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products
Vendor Product Description
Ruby on Rails activestorage activestorage versions 8.0.x antérieures à 8.0.4.1
Ruby on Rails activesupport activesupport versions antérieures à 7.2.3.1
Ruby on Rails actionview actionview versions 8.0.x antérieures à 8.0.4.1
Ruby on Rails actionpack actionpack versions 8.1.x antérieures à 8.1.2.1
Ruby on Rails activesupport activesupport versions 8.1.x antérieures à 8.1.2.1
Ruby on Rails actionview actionview versions 8.1.x antérieures à 8.1.2.1
Ruby on Rails actionview actionview versions antérieures à 7.2.3.1
Ruby on Rails activestorage activestorage versions antérieures à 7.2.3.1
Ruby on Rails activesupport activesupport versions 8.0.x antérieures à 8.0.4.1
Ruby on Rails activestorage activestorage versions 8.1.x antérieures à 8.1.2.1
References
Bulletin de sécurité Ruby on Rails 90912 2026-03-23 vendor-advisory
Bulletin de sécurité Ruby on Rails 90911 2026-03-23 vendor-advisory
Bulletin de sécurité Ruby on Rails 90910 2026-03-23 vendor-advisory
Bulletin de sécurité Ruby on Rails 90913 2026-03-23 vendor-advisory
Bulletin de sécurité Ruby on Rails 90906 2026-03-23 vendor-advisory
Bulletin de sécurité Ruby on Rails 90908 2026-03-23 vendor-advisory
Bulletin de sécurité Ruby on Rails 90903 2026-03-23 vendor-advisory
Bulletin de sécurité Ruby on Rails 90904 2026-03-23 vendor-advisory
Bulletin de sécurité Ruby on Rails 90909 2026-03-23 vendor-advisory
Bulletin de sécurité Ruby on Rails 90907 2026-03-23 vendor-advisory

Show details on source website
To clipboard 

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "activestorage versions 8.0.x ant\u00e9rieures \u00e0 8.0.4.1",
      "product": {
        "name": "activestorage",
        "vendor": {
          "name": "Ruby on Rails",
          "scada": false
        }
      }
    },
    {
      "description": "activesupport versions ant\u00e9rieures \u00e0 7.2.3.1",
      "product": {
        "name": "activesupport",
        "vendor": {
          "name": "Ruby on Rails",
          "scada": false
        }
      }
    },
    {
      "description": "actionview versions 8.0.x ant\u00e9rieures \u00e0 8.0.4.1",
      "product": {
        "name": "actionview",
        "vendor": {
          "name": "Ruby on Rails",
          "scada": false
        }
      }
    },
    {
      "description": "actionpack versions 8.1.x ant\u00e9rieures \u00e0 8.1.2.1",
      "product": {
        "name": "actionpack",
        "vendor": {
          "name": "Ruby on Rails",
          "scada": false
        }
      }
    },
    {
      "description": "activesupport versions 8.1.x ant\u00e9rieures \u00e0 8.1.2.1",
      "product": {
        "name": "activesupport",
        "vendor": {
          "name": "Ruby on Rails",
          "scada": false
        }
      }
    },
    {
      "description": "actionview versions 8.1.x ant\u00e9rieures \u00e0 8.1.2.1",
      "product": {
        "name": "actionview",
        "vendor": {
          "name": "Ruby on Rails",
          "scada": false
        }
      }
    },
    {
      "description": "actionview versions ant\u00e9rieures \u00e0 7.2.3.1",
      "product": {
        "name": "actionview",
        "vendor": {
          "name": "Ruby on Rails",
          "scada": false
        }
      }
    },
    {
      "description": "activestorage versions ant\u00e9rieures \u00e0 7.2.3.1",
      "product": {
        "name": "activestorage",
        "vendor": {
          "name": "Ruby on Rails",
          "scada": false
        }
      }
    },
    {
      "description": "activesupport versions 8.0.x ant\u00e9rieures \u00e0 8.0.4.1",
      "product": {
        "name": "activesupport",
        "vendor": {
          "name": "Ruby on Rails",
          "scada": false
        }
      }
    },
    {
      "description": "activestorage versions 8.1.x ant\u00e9rieures \u00e0 8.1.2.1",
      "product": {
        "name": "activestorage",
        "vendor": {
          "name": "Ruby on Rails",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2026-33202",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-33202"
    },
    {
      "name": "CVE-2026-33168",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-33168"
    },
    {
      "name": "CVE-2026-33658",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-33658"
    },
    {
      "name": "CVE-2026-33169",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-33169"
    },
    {
      "name": "CVE-2026-33195",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-33195"
    },
    {
      "name": "CVE-2026-33173",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-33173"
    },
    {
      "name": "CVE-2026-33176",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-33176"
    },
    {
      "name": "CVE-2026-33174",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-33174"
    },
    {
      "name": "CVE-2026-33167",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-33167"
    },
    {
      "name": "CVE-2026-33170",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-33170"
    }
  ],
  "initial_release_date": "2026-03-24T00:00:00",
  "last_revision_date": "2026-03-24T00:00:00",
  "links": [],
  "reference": "CERTFR-2026-AVI-0349",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2026-03-24T00:00:00.000000"
    },
    {
      "description": "Correction des r\u00e9f\u00e9rences CVE",
      "revision_date": "2026-03-24T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Ruby on Rails. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Ruby on Rails",
  "vendor_advisories": [
    {
      "published_at": "2026-03-23",
      "title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 90912",
      "url": "https://discuss.rubyonrails.org/t/cve-2026-33168-possible-xss-vulnerability-in-action-view-tag-helpers/90912"
    },
    {
      "published_at": "2026-03-23",
      "title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 90911",
      "url": "https://discuss.rubyonrails.org/t/cve-2026-33169-possible-redos-vulnerability-in-number-to-delimited-in-active-support/90911"
    },
    {
      "published_at": "2026-03-23",
      "title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 90910",
      "url": "https://discuss.rubyonrails.org/t/cve-2026-33170-possible-xss-vulnerability-in-safebuffer-in-active-support/90910"
    },
    {
      "published_at": "2026-03-23",
      "title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 90913",
      "url": "https://discuss.rubyonrails.org/t/cve-2026-33167-possible-xss-vulnerability-in-action-pack-debug-exceptions/90913"
    },
    {
      "published_at": "2026-03-23",
      "title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 90906",
      "url": "https://discuss.rubyonrails.org/t/cve-2026-33658-possible-dos-vulnerability-in-active-storage-proxy-mode-via-multi-range-requests/90906"
    },
    {
      "published_at": "2026-03-23",
      "title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 90908",
      "url": "https://discuss.rubyonrails.org/t/cve-2026-33174-possible-dos-vulnerability-in-active-storage-proxy-mode-via-range-requests/90908"
    },
    {
      "published_at": "2026-03-23",
      "title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 90903",
      "url": "https://discuss.rubyonrails.org/t/cve-2026-33202-possible-glob-injection-in-active-storage-diskservice/90903"
    },
    {
      "published_at": "2026-03-23",
      "title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 90904",
      "url": "https://discuss.rubyonrails.org/t/cve-2026-33195-possible-path-traversal-in-active-storage-diskservice/90904"
    },
    {
      "published_at": "2026-03-23",
      "title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 90909",
      "url": "https://discuss.rubyonrails.org/t/cve-2026-33173-insufficient-filtering-of-metadata-in-active-storage-direct-uploads/90909"
    },
    {
      "published_at": "2026-03-23",
      "title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 90907",
      "url": "https://discuss.rubyonrails.org/t/cve-2026-33176-possible-dos-vulnerability-in-active-support-number-helpers/90907"
    }
  ]
}