Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities found for ruby_on_rails by david_hansson
CVE-2007-5380 (GCVE-0-2007-5380)
Vulnerability from nvd – Published: 2007-10-19 23:00 – Updated: 2024-08-07 15:31
VLAI?
Summary
Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to "URL-based sessions."
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
Date Public ?
2007-10-05 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T15:31:58.474Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "27965",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/27965"
},
{
"name": "ADV-2007-4238",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2007/4238"
},
{
"name": "ADV-2007-3508",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2007/3508"
},
{
"name": "TA07-352A",
"tags": [
"third-party-advisory",
"x_refsource_CERT",
"x_transferred"
],
"url": "http://www.us-cert.gov/cas/techalerts/TA07-352A.html"
},
{
"name": "28136",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/28136"
},
{
"name": "26096",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/26096"
},
{
"name": "GLSA-200711-17",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200711-17.xml"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://bugs.gentoo.org/show_bug.cgi?id=195315"
},
{
"name": "SUSE-SR:2007:025",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://www.novell.com/linux/security/advisories/2007_25_sr.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release"
},
{
"name": "APPLE-SA-2007-12-17",
"tags": [
"vendor-advisory",
"x_refsource_APPLE",
"x_transferred"
],
"url": "http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://docs.info.apple.com/article.html?artnum=307179"
},
{
"name": "27657",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/27657"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-10-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to \"URL-based sessions.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2007-11-17T10:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "27965",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/27965"
},
{
"name": "ADV-2007-4238",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2007/4238"
},
{
"name": "ADV-2007-3508",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2007/3508"
},
{
"name": "TA07-352A",
"tags": [
"third-party-advisory",
"x_refsource_CERT"
],
"url": "http://www.us-cert.gov/cas/techalerts/TA07-352A.html"
},
{
"name": "28136",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/28136"
},
{
"name": "26096",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/26096"
},
{
"name": "GLSA-200711-17",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200711-17.xml"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://bugs.gentoo.org/show_bug.cgi?id=195315"
},
{
"name": "SUSE-SR:2007:025",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://www.novell.com/linux/security/advisories/2007_25_sr.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release"
},
{
"name": "APPLE-SA-2007-12-17",
"tags": [
"vendor-advisory",
"x_refsource_APPLE"
],
"url": "http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://docs.info.apple.com/article.html?artnum=307179"
},
{
"name": "27657",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/27657"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-5380",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to \"URL-based sessions.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "27965",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/27965"
},
{
"name": "ADV-2007-4238",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2007/4238"
},
{
"name": "ADV-2007-3508",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2007/3508"
},
{
"name": "TA07-352A",
"refsource": "CERT",
"url": "http://www.us-cert.gov/cas/techalerts/TA07-352A.html"
},
{
"name": "28136",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/28136"
},
{
"name": "26096",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/26096"
},
{
"name": "GLSA-200711-17",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-200711-17.xml"
},
{
"name": "http://bugs.gentoo.org/show_bug.cgi?id=195315",
"refsource": "CONFIRM",
"url": "http://bugs.gentoo.org/show_bug.cgi?id=195315"
},
{
"name": "SUSE-SR:2007:025",
"refsource": "SUSE",
"url": "http://www.novell.com/linux/security/advisories/2007_25_sr.html"
},
{
"name": "http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release",
"refsource": "CONFIRM",
"url": "http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release"
},
{
"name": "APPLE-SA-2007-12-17",
"refsource": "APPLE",
"url": "http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html"
},
{
"name": "http://docs.info.apple.com/article.html?artnum=307179",
"refsource": "CONFIRM",
"url": "http://docs.info.apple.com/article.html?artnum=307179"
},
{
"name": "27657",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/27657"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-5380",
"datePublished": "2007-10-19T23:00:00.000Z",
"dateReserved": "2007-10-11T00:00:00.000Z",
"dateUpdated": "2024-08-07T15:31:58.474Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2007-5379 (GCVE-0-2007-5379)
Vulnerability from nvd – Published: 2007-10-19 23:00 – Updated: 2024-08-07 15:31
VLAI?
Summary
Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
Date Public ?
2007-10-05 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T15:31:59.017Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ADV-2007-4238",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2007/4238"
},
{
"name": "ADV-2007-3508",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2007/3508"
},
{
"name": "TA07-352A",
"tags": [
"third-party-advisory",
"x_refsource_CERT",
"x_transferred"
],
"url": "http://www.us-cert.gov/cas/techalerts/TA07-352A.html"
},
{
"name": "28136",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/28136"
},
{
"name": "26096",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/26096"
},
{
"name": "GLSA-200711-17",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200711-17.xml"
},
{
"name": "40717",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/40717"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://bugs.gentoo.org/show_bug.cgi?id=195315"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release"
},
{
"name": "APPLE-SA-2007-12-17",
"tags": [
"vendor-advisory",
"x_refsource_APPLE",
"x_transferred"
],
"url": "http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://docs.info.apple.com/article.html?artnum=307179"
},
{
"name": "27657",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/27657"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://dev.rubyonrails.org/ticket/8453"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-10-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2007-11-17T10:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "ADV-2007-4238",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2007/4238"
},
{
"name": "ADV-2007-3508",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2007/3508"
},
{
"name": "TA07-352A",
"tags": [
"third-party-advisory",
"x_refsource_CERT"
],
"url": "http://www.us-cert.gov/cas/techalerts/TA07-352A.html"
},
{
"name": "28136",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/28136"
},
{
"name": "26096",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/26096"
},
{
"name": "GLSA-200711-17",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200711-17.xml"
},
{
"name": "40717",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/40717"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://bugs.gentoo.org/show_bug.cgi?id=195315"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release"
},
{
"name": "APPLE-SA-2007-12-17",
"tags": [
"vendor-advisory",
"x_refsource_APPLE"
],
"url": "http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://docs.info.apple.com/article.html?artnum=307179"
},
{
"name": "27657",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/27657"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://dev.rubyonrails.org/ticket/8453"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-5379",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "ADV-2007-4238",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2007/4238"
},
{
"name": "ADV-2007-3508",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2007/3508"
},
{
"name": "TA07-352A",
"refsource": "CERT",
"url": "http://www.us-cert.gov/cas/techalerts/TA07-352A.html"
},
{
"name": "28136",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/28136"
},
{
"name": "26096",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/26096"
},
{
"name": "GLSA-200711-17",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-200711-17.xml"
},
{
"name": "40717",
"refsource": "OSVDB",
"url": "http://osvdb.org/40717"
},
{
"name": "http://bugs.gentoo.org/show_bug.cgi?id=195315",
"refsource": "CONFIRM",
"url": "http://bugs.gentoo.org/show_bug.cgi?id=195315"
},
{
"name": "http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release",
"refsource": "CONFIRM",
"url": "http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release"
},
{
"name": "APPLE-SA-2007-12-17",
"refsource": "APPLE",
"url": "http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html"
},
{
"name": "http://docs.info.apple.com/article.html?artnum=307179",
"refsource": "CONFIRM",
"url": "http://docs.info.apple.com/article.html?artnum=307179"
},
{
"name": "27657",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/27657"
},
{
"name": "http://dev.rubyonrails.org/ticket/8453",
"refsource": "CONFIRM",
"url": "http://dev.rubyonrails.org/ticket/8453"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-5379",
"datePublished": "2007-10-19T23:00:00.000Z",
"dateReserved": "2007-10-11T00:00:00.000Z",
"dateUpdated": "2024-08-07T15:31:59.017Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2007-5380 (GCVE-0-2007-5380)
Vulnerability from cvelistv5 – Published: 2007-10-19 23:00 – Updated: 2024-08-07 15:31
VLAI?
Summary
Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to "URL-based sessions."
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
Date Public ?
2007-10-05 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T15:31:58.474Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "27965",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/27965"
},
{
"name": "ADV-2007-4238",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2007/4238"
},
{
"name": "ADV-2007-3508",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2007/3508"
},
{
"name": "TA07-352A",
"tags": [
"third-party-advisory",
"x_refsource_CERT",
"x_transferred"
],
"url": "http://www.us-cert.gov/cas/techalerts/TA07-352A.html"
},
{
"name": "28136",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/28136"
},
{
"name": "26096",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/26096"
},
{
"name": "GLSA-200711-17",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200711-17.xml"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://bugs.gentoo.org/show_bug.cgi?id=195315"
},
{
"name": "SUSE-SR:2007:025",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://www.novell.com/linux/security/advisories/2007_25_sr.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release"
},
{
"name": "APPLE-SA-2007-12-17",
"tags": [
"vendor-advisory",
"x_refsource_APPLE",
"x_transferred"
],
"url": "http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://docs.info.apple.com/article.html?artnum=307179"
},
{
"name": "27657",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/27657"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-10-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to \"URL-based sessions.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2007-11-17T10:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "27965",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/27965"
},
{
"name": "ADV-2007-4238",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2007/4238"
},
{
"name": "ADV-2007-3508",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2007/3508"
},
{
"name": "TA07-352A",
"tags": [
"third-party-advisory",
"x_refsource_CERT"
],
"url": "http://www.us-cert.gov/cas/techalerts/TA07-352A.html"
},
{
"name": "28136",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/28136"
},
{
"name": "26096",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/26096"
},
{
"name": "GLSA-200711-17",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200711-17.xml"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://bugs.gentoo.org/show_bug.cgi?id=195315"
},
{
"name": "SUSE-SR:2007:025",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://www.novell.com/linux/security/advisories/2007_25_sr.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release"
},
{
"name": "APPLE-SA-2007-12-17",
"tags": [
"vendor-advisory",
"x_refsource_APPLE"
],
"url": "http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://docs.info.apple.com/article.html?artnum=307179"
},
{
"name": "27657",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/27657"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-5380",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to \"URL-based sessions.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "27965",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/27965"
},
{
"name": "ADV-2007-4238",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2007/4238"
},
{
"name": "ADV-2007-3508",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2007/3508"
},
{
"name": "TA07-352A",
"refsource": "CERT",
"url": "http://www.us-cert.gov/cas/techalerts/TA07-352A.html"
},
{
"name": "28136",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/28136"
},
{
"name": "26096",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/26096"
},
{
"name": "GLSA-200711-17",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-200711-17.xml"
},
{
"name": "http://bugs.gentoo.org/show_bug.cgi?id=195315",
"refsource": "CONFIRM",
"url": "http://bugs.gentoo.org/show_bug.cgi?id=195315"
},
{
"name": "SUSE-SR:2007:025",
"refsource": "SUSE",
"url": "http://www.novell.com/linux/security/advisories/2007_25_sr.html"
},
{
"name": "http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release",
"refsource": "CONFIRM",
"url": "http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release"
},
{
"name": "APPLE-SA-2007-12-17",
"refsource": "APPLE",
"url": "http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html"
},
{
"name": "http://docs.info.apple.com/article.html?artnum=307179",
"refsource": "CONFIRM",
"url": "http://docs.info.apple.com/article.html?artnum=307179"
},
{
"name": "27657",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/27657"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-5380",
"datePublished": "2007-10-19T23:00:00.000Z",
"dateReserved": "2007-10-11T00:00:00.000Z",
"dateUpdated": "2024-08-07T15:31:58.474Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2007-5379 (GCVE-0-2007-5379)
Vulnerability from cvelistv5 – Published: 2007-10-19 23:00 – Updated: 2024-08-07 15:31
VLAI?
Summary
Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
Date Public ?
2007-10-05 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T15:31:59.017Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ADV-2007-4238",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2007/4238"
},
{
"name": "ADV-2007-3508",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2007/3508"
},
{
"name": "TA07-352A",
"tags": [
"third-party-advisory",
"x_refsource_CERT",
"x_transferred"
],
"url": "http://www.us-cert.gov/cas/techalerts/TA07-352A.html"
},
{
"name": "28136",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/28136"
},
{
"name": "26096",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/26096"
},
{
"name": "GLSA-200711-17",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200711-17.xml"
},
{
"name": "40717",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/40717"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://bugs.gentoo.org/show_bug.cgi?id=195315"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release"
},
{
"name": "APPLE-SA-2007-12-17",
"tags": [
"vendor-advisory",
"x_refsource_APPLE",
"x_transferred"
],
"url": "http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://docs.info.apple.com/article.html?artnum=307179"
},
{
"name": "27657",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/27657"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://dev.rubyonrails.org/ticket/8453"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-10-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2007-11-17T10:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "ADV-2007-4238",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2007/4238"
},
{
"name": "ADV-2007-3508",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2007/3508"
},
{
"name": "TA07-352A",
"tags": [
"third-party-advisory",
"x_refsource_CERT"
],
"url": "http://www.us-cert.gov/cas/techalerts/TA07-352A.html"
},
{
"name": "28136",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/28136"
},
{
"name": "26096",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/26096"
},
{
"name": "GLSA-200711-17",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200711-17.xml"
},
{
"name": "40717",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/40717"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://bugs.gentoo.org/show_bug.cgi?id=195315"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release"
},
{
"name": "APPLE-SA-2007-12-17",
"tags": [
"vendor-advisory",
"x_refsource_APPLE"
],
"url": "http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://docs.info.apple.com/article.html?artnum=307179"
},
{
"name": "27657",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/27657"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://dev.rubyonrails.org/ticket/8453"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-5379",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "ADV-2007-4238",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2007/4238"
},
{
"name": "ADV-2007-3508",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2007/3508"
},
{
"name": "TA07-352A",
"refsource": "CERT",
"url": "http://www.us-cert.gov/cas/techalerts/TA07-352A.html"
},
{
"name": "28136",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/28136"
},
{
"name": "26096",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/26096"
},
{
"name": "GLSA-200711-17",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-200711-17.xml"
},
{
"name": "40717",
"refsource": "OSVDB",
"url": "http://osvdb.org/40717"
},
{
"name": "http://bugs.gentoo.org/show_bug.cgi?id=195315",
"refsource": "CONFIRM",
"url": "http://bugs.gentoo.org/show_bug.cgi?id=195315"
},
{
"name": "http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release",
"refsource": "CONFIRM",
"url": "http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release"
},
{
"name": "APPLE-SA-2007-12-17",
"refsource": "APPLE",
"url": "http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html"
},
{
"name": "http://docs.info.apple.com/article.html?artnum=307179",
"refsource": "CONFIRM",
"url": "http://docs.info.apple.com/article.html?artnum=307179"
},
{
"name": "27657",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/27657"
},
{
"name": "http://dev.rubyonrails.org/ticket/8453",
"refsource": "CONFIRM",
"url": "http://dev.rubyonrails.org/ticket/8453"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-5379",
"datePublished": "2007-10-19T23:00:00.000Z",
"dateReserved": "2007-10-11T00:00:00.000Z",
"dateUpdated": "2024-08-07T15:31:59.017Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}