Vulnerability-Lookup

CVE-2015-7581 (GCVE-0-2015-7581)

Vulnerability from cvelistv5 – Published: 2016-02-16 02:00 – Updated: 2024-08-06 07:51

Summary

actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in Ruby on Rails 4.x before 4.2.5.1 and 5.x before 5.0.0.beta1.1 allows remote attackers to cause a denial of service (superfluous caching and memory consumption) by leveraging an application's use of a wildcard controller route.

Severity

No CVSS data available.

CWE

Assigner

redhat

References

10 references

URL	Tags
https://groups.google.com/forum/message/raw?msg=r…	mailing-listx_refsource_MLIST
http://lists.opensuse.org/opensuse-updates/2016-0…	vendor-advisoryx_refsource_SUSE
http://www.openwall.com/lists/oss-security/2016/0…	mailing-listx_refsource_MLIST
http://lists.fedoraproject.org/pipermail/package-…	vendor-advisoryx_refsource_FEDORA
http://lists.fedoraproject.org/pipermail/package-…	vendor-advisoryx_refsource_FEDORA
http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
http://www.securitytracker.com/id/1034816	vdb-entryx_refsource_SECTRACK
http://www.debian.org/security/2016/dsa-3464	vendor-advisoryx_refsource_DEBIAN
http://rhn.redhat.com/errata/RHSA-2016-0296.html	vendor-advisoryx_refsource_REDHAT
http://www.securityfocus.com/bid/81677	vdb-entryx_refsource_BID

Date Public

2016-01-25 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T07:51:28.559Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[ruby-security-ann] 20160125 [CVE-2015-7581] Object leak vulnerability for wildcard controller routes in Action Pack",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/dthJ5wL69JE/IdvCimtZEgAJ"
          },
          {
            "name": "openSUSE-SU-2016:0372",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
          },
          {
            "name": "[oss-security] 20160125 [CVE-2015-7581] Object leak vulnerability for wildcard controller routes in Action Pack",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2016/01/25/16"
          },
          {
            "name": "FEDORA-2016-94e71ee673",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
          },
          {
            "name": "FEDORA-2016-f486068393",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"
          },
          {
            "name": "SUSE-SU-2016:1146",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
          },
          {
            "name": "1034816",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1034816"
          },
          {
            "name": "DSA-3464",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2016/dsa-3464"
          },
          {
            "name": "RHSA-2016:0296",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
          },
          {
            "name": "81677",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/81677"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-01-25T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in Ruby on Rails 4.x before 4.2.5.1 and 5.x before 5.0.0.beta1.1 allows remote attackers to cause a denial of service (superfluous caching and memory consumption) by leveraging an application\u0027s use of a wildcard controller route."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-09T09:57:01.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "[ruby-security-ann] 20160125 [CVE-2015-7581] Object leak vulnerability for wildcard controller routes in Action Pack",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/dthJ5wL69JE/IdvCimtZEgAJ"
        },
        {
          "name": "openSUSE-SU-2016:0372",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
        },
        {
          "name": "[oss-security] 20160125 [CVE-2015-7581] Object leak vulnerability for wildcard controller routes in Action Pack",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2016/01/25/16"
        },
        {
          "name": "FEDORA-2016-94e71ee673",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
        },
        {
          "name": "FEDORA-2016-f486068393",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"
        },
        {
          "name": "SUSE-SU-2016:1146",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
        },
        {
          "name": "1034816",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1034816"
        },
        {
          "name": "DSA-3464",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2016/dsa-3464"
        },
        {
          "name": "RHSA-2016:0296",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
        },
        {
          "name": "81677",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/81677"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-7581",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in Ruby on Rails 4.x before 4.2.5.1 and 5.x before 5.0.0.beta1.1 allows remote attackers to cause a denial of service (superfluous caching and memory consumption) by leveraging an application\u0027s use of a wildcard controller route."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[ruby-security-ann] 20160125 [CVE-2015-7581] Object leak vulnerability for wildcard controller routes in Action Pack",
              "refsource": "MLIST",
              "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/dthJ5wL69JE/IdvCimtZEgAJ"
            },
            {
              "name": "openSUSE-SU-2016:0372",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
            },
            {
              "name": "[oss-security] 20160125 [CVE-2015-7581] Object leak vulnerability for wildcard controller routes in Action Pack",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2016/01/25/16"
            },
            {
              "name": "FEDORA-2016-94e71ee673",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
            },
            {
              "name": "FEDORA-2016-f486068393",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"
            },
            {
              "name": "SUSE-SU-2016:1146",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
            },
            {
              "name": "1034816",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1034816"
            },
            {
              "name": "DSA-3464",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2016/dsa-3464"
            },
            {
              "name": "RHSA-2016:0296",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
            },
            {
              "name": "81677",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/81677"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2015-7581",
    "datePublished": "2016-02-16T02:00:00.000Z",
    "dateReserved": "2015-09-29T00:00:00.000Z",
    "dateUpdated": "2024-08-06T07:51:28.559Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2015-7581",
      "date": "2026-05-29",
      "epss": "0.08542",
      "percentile": "0.92514"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2015-7581\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2016-02-16T02:59:04.877\",\"lastModified\":\"2026-05-06T22:30:45.220\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in Ruby on Rails 4.x before 4.2.5.1 and 5.x before 5.0.0.beta1.1 allows remote attackers to cause a denial of service (superfluous caching and memory consumption) by leveraging an application\u0027s use of a wildcard controller route.\"},{\"lang\":\"es\",\"value\":\"actionpack/lib/action_dispatch/routing/route_set.rb en Action Pack en Ruby on Rails 4.x en versiones anteriores a 4.2.5.1 y 5.x en versiones anteriores a 5.0.0.beta1.1 permite a atacantes remotos causar una denegaci\u00f3n de servicio (almacenamiento en cach\u00e9 superfluo y consumo de memoria) aprovechando el uso de una ruta de controlador comod\u00edn por una aplicaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-399\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"2E950E33-CD03-45F5-83F9-F106060B4A8B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*\",\"matchCriteriaId\":\"547C62C8-4B3E-431B-AA73-5C42ED884671\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"4CDAD329-35F7-4C82-8019-A0CF6D069059\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"56D3858B-0FEE-4E8D-83C2-68AF0431F478\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"254884EE-EBA4-45D0-9704-B5CB22569668\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"35FC7015-267C-403B-A23D-EDA6223D2104\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"5C913A56-959D-44F1-BD89-D246C66D1F09\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"5D5BA926-38EE-47BE-9D16-FDCF360A503B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"18EA25F1-279A-4F1A-883D-C064369F592E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FD794856-6F30-4ABF-8AE4-720BB75E6F89\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B4199B8B-A6F9-4BFD-8D27-0E663D8C579D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"767C481D-6616-4CA9-9A9B-C994D9121796\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D5496953-0C5E-45F8-A7FB-240CEC2CCEB8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"CA46B621-125E-497F-B2DE-91C989B25936\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"B3239443-2E19-4540-BA0C-05A27E44CB6C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"104AC9CF-6611-4469-9852-7FDAF4EC7638\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DC9E1864-B1E5-42C3-B4AF-9A002916B66D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"31AC91AA-6A9A-43B4-B3E9-A66A34B6E612\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A462C151-982E-4A83-A376-025015F40645\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"578CC013-776B-4868-B448-B7ACAF3AF832\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"C310EA3E-399A-48FD-8DE9-6950E328CF23\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"293B2998-5169-4960-BEC4-21DAC837E32B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EAB8D57F-9849-428C-B8E9-D0A1020728BB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B0359DA8-6B41-46C5-AA95-41B1B366DD4A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"0965BDB6-9644-465C-AA32-9278B2D53197\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"7F6B15CF-37C1-4C9B-8457-4A8C9A480188\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"072EB16D-1325-4869-B156-65E786A834C7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"847B3C3D-8656-404D-A954-09C159EDC8E2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"65CA2D50-B33C-4088-BDDF-EB964C9A092C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CADB5989-5260-4F60-ACF2-BEB6D7F97654\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"509597D0-22E1-4BE8-95AD-C54FE4D15FA4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"539C550D-FEDD-415E-95AE-40E1AE2BAF1A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"59C5B869-74FC-4051-A103-A721332B3CF2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"709A19A5-8FD1-4F9C-A38C-F06242A94D68\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"83F1142C-3BFB-4B72-A033-81E20DB19D02\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"81D717DB-7C80-48AA-A774-E291D2E75D6E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"06B357FB-0307-4EFA-9C5B-3C2CDEA48584\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"79D5B492-43F9-470F-BD21-6EFD93E78453\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F6A1C015-56AD-489C-B301-68CF1DBF1BEF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"AF8F94CF-D504-4165-A69E-3F1198CB162A\"}]}]}],\"references\":[{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-0296.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.debian.org/security/2016/dsa-3464\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2016/01/25/16\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.securityfocus.com/bid/81677\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.securitytracker.com/id/1034816\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://groups.google.com/forum/message/raw?msg=ruby-security-ann/dthJ5wL69JE/IdvCimtZEgAJ\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-0296.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.debian.org/security/2016/dsa-3464\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2016/01/25/16\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/81677\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securitytracker.com/id/1034816\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://groups.google.com/forum/message/raw?msg=ruby-security-ann/dthJ5wL69JE/IdvCimtZEgAJ\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

SUSE-SU-2016:1146-1

Vulnerability from csaf_suse - Published: 2016-04-25 14:28 - Updated: 2016-04-25 14:28

Summary

Security update for portus

Severity

Important

Notes

Title of the patch: Security update for portus

Description of the patch: Portus was updated to version 2.0.3, which brings several fixes and enhancements: - Fixed crono job when a repository could not be found. - Fixed compatibility issues with Docker 1.10 and Distribution 2.3. - Handle multiple scopes in token requests. - Add optional fields to token response. - Fixed notification events for Distribution v2.3. - Paginate through the catalog properly. - Do not remove all the repositories if fetching one fails. - Fixed SMTP setup. - Don't let crono overflow the 'log' column on the DB. - Show the actual LDAP error on invalid login. - Fixed the location of crono logs. - Always use relative paths. - Set RUBYLIB when using portusctl. - Don't count hidden teams on the admin panel. - Warn developers on unsupported docker-compose versions. - Directly invalidate LDAP logins without name and password. - Don't show the 'I forgot my password' link on LDAP. The following Rubygems bundled within Portus have been updated to fix security issues: - CVE-2016-2098: rubygem-actionpack (bsc#969943). - CVE-2015-7578: rails-html-sanitizer (bsc#963326). - CVE-2015-7579: rails-html-sanitizer (bsc#963327). - CVE-2015-7580: rails-html-sanitizer (bsc#963328). - CVE-2015-7576: rubygem-actionpack, rubygem-activesupport (bsc#963563). - CVE-2015-7577: rubygem-activerecord (bsc#963604). - CVE-2016-0751: rugygem-actionpack (bsc#963627). - CVE-2016-0752: rubygem-actionpack, rubygem-actionview (bsc#963608). - CVE-2016-0753: rubygem-activemodel, rubygem-activesupport, rubygem-activerecord (bsc#963617). - CVE-2015-7581: rubygem-actionpack (bsc#963625).

Patchnames: SUSE-SLE-Module-Containers-12-2016-672

CVE-2015-7576

3.7 (Low)


                        
                          CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected products

Recommended 1 product

Product	Identifier	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64		—	Vendor Fix

Threats

Impact moderate

CVE-2015-7577

5.3 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Affected products

Recommended 1 product

Product	Identifier	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64		—	Vendor Fix

Threats

Impact moderate

CVE-2015-7578

6.1 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected products

Recommended 1 product

Product	Identifier	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64		—	Vendor Fix

Threats

Impact moderate

CVE-2015-7579

6.1 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected products

Recommended 1 product

Product	Identifier	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64		—	Vendor Fix

Threats

Impact moderate

CVE-2015-7580

6.1 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected products

Recommended 1 product

Product	Identifier	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64		—	Vendor Fix

Threats

Impact moderate

CVE-2015-7581

7.5 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 1 product

Product	Identifier	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64		—	Vendor Fix

Threats

Impact moderate

CVE-2016-0751

7.5 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 1 product

Product	Identifier	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64		—	Vendor Fix

Threats

Impact low

CVE-2016-0752

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

Recommended 1 product

Product	Identifier	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64		—	Vendor Fix

Threats

Impact moderate

CVE-2016-0753

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Affected products

Recommended 1 product

Product	Identifier	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64		—	Vendor Fix

Threats

Impact moderate

CVE-2016-2098

7.3 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Affected products

Recommended 1 product

Product	Identifier	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64		—	Vendor Fix

Threats

Impact important

References

57 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/s…	self
https://www.suse.com/support/update/announcement/…	self
https://lists.suse.com/pipermail/sle-security-upd…	self
https://bugzilla.suse.com/963326	self
https://bugzilla.suse.com/963327	self
https://bugzilla.suse.com/963328	self
https://bugzilla.suse.com/963563	self
https://bugzilla.suse.com/963604	self
https://bugzilla.suse.com/963608	self
https://bugzilla.suse.com/963617	self
https://bugzilla.suse.com/963625	self
https://bugzilla.suse.com/963627	self
https://bugzilla.suse.com/969943	self
https://www.suse.com/security/cve/CVE-2015-7576/	self
https://www.suse.com/security/cve/CVE-2015-7577/	self
https://www.suse.com/security/cve/CVE-2015-7578/	self
https://www.suse.com/security/cve/CVE-2015-7579/	self
https://www.suse.com/security/cve/CVE-2015-7580/	self
https://www.suse.com/security/cve/CVE-2015-7581/	self
https://www.suse.com/security/cve/CVE-2016-0751/	self
https://www.suse.com/security/cve/CVE-2016-0752/	self
https://www.suse.com/security/cve/CVE-2016-0753/	self
https://www.suse.com/security/cve/CVE-2016-2098/	self
https://www.suse.com/security/cve/CVE-2015-7576	external
https://bugzilla.suse.com/963329	external
https://bugzilla.suse.com/963563	external
https://bugzilla.suse.com/970715	external
https://www.suse.com/security/cve/CVE-2015-7577	external
https://bugzilla.suse.com/963330	external
https://bugzilla.suse.com/963604	external
https://www.suse.com/security/cve/CVE-2015-7578	external
https://bugzilla.suse.com/963326	external
https://www.suse.com/security/cve/CVE-2015-7579	external
https://bugzilla.suse.com/963326	external
https://bugzilla.suse.com/963327	external
https://bugzilla.suse.com/963328	external
https://www.suse.com/security/cve/CVE-2015-7580	external
https://bugzilla.suse.com/963326	external
https://bugzilla.suse.com/963327	external
https://bugzilla.suse.com/963328	external
https://www.suse.com/security/cve/CVE-2015-7581	external
https://bugzilla.suse.com/963335	external
https://www.suse.com/security/cve/CVE-2016-0751	external
https://bugzilla.suse.com/963331	external
https://bugzilla.suse.com/963627	external
https://www.suse.com/security/cve/CVE-2016-0752	external
https://bugzilla.suse.com/963332	external
https://bugzilla.suse.com/963608	external
https://bugzilla.suse.com/968850	external
https://www.suse.com/security/cve/CVE-2016-0753	external
https://bugzilla.suse.com/963334	external
https://bugzilla.suse.com/963617	external
https://www.suse.com/security/cve/CVE-2016-2098	external
https://bugzilla.suse.com/968849	external
https://bugzilla.suse.com/969943	external
https://bugzilla.suse.com/993313	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for portus",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "\nPortus was updated to version 2.0.3, which brings several fixes and enhancements:\n\n- Fixed crono job when a repository could not be found.\n- Fixed compatibility issues with Docker 1.10 and Distribution 2.3.\n- Handle multiple scopes in token requests.\n- Add optional fields to token response.\n- Fixed notification events for Distribution v2.3.\n- Paginate through the catalog properly.\n- Do not remove all the repositories if fetching one fails.\n- Fixed SMTP setup.\n- Don\u0027t let crono overflow the \u0027log\u0027 column on the DB.\n- Show the actual LDAP error on invalid login.\n- Fixed the location of crono logs.\n- Always use relative paths.\n- Set RUBYLIB when using portusctl.\n- Don\u0027t count hidden teams on the admin panel.\n- Warn developers on unsupported docker-compose versions.\n- Directly invalidate LDAP logins without name and password.\n- Don\u0027t show the \u0027I forgot my password\u0027 link on LDAP.\n\nThe following Rubygems bundled within Portus have been updated to fix security\nissues:\n\n- CVE-2016-2098: rubygem-actionpack (bsc#969943).\n- CVE-2015-7578: rails-html-sanitizer (bsc#963326).\n- CVE-2015-7579: rails-html-sanitizer (bsc#963327).\n- CVE-2015-7580: rails-html-sanitizer (bsc#963328).\n- CVE-2015-7576: rubygem-actionpack, rubygem-activesupport (bsc#963563).\n- CVE-2015-7577: rubygem-activerecord (bsc#963604).\n- CVE-2016-0751: rugygem-actionpack (bsc#963627).\n- CVE-2016-0752: rubygem-actionpack, rubygem-actionview (bsc#963608).\n- CVE-2016-0753: rubygem-activemodel, rubygem-activesupport, rubygem-activerecord (bsc#963617).\n- CVE-2015-7581: rubygem-actionpack (bsc#963625).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-SLE-Module-Containers-12-2016-672",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2016_1146-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2016:1146-1",
        "url": "https://www.suse.com/support/update/announcement/2016/suse-su-20161146-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2016:1146-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2016-April/002027.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 963326",
        "url": "https://bugzilla.suse.com/963326"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 963327",
        "url": "https://bugzilla.suse.com/963327"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 963328",
        "url": "https://bugzilla.suse.com/963328"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 963563",
        "url": "https://bugzilla.suse.com/963563"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 963604",
        "url": "https://bugzilla.suse.com/963604"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 963608",
        "url": "https://bugzilla.suse.com/963608"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 963617",
        "url": "https://bugzilla.suse.com/963617"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 963625",
        "url": "https://bugzilla.suse.com/963625"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 963627",
        "url": "https://bugzilla.suse.com/963627"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 969943",
        "url": "https://bugzilla.suse.com/969943"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2015-7576 page",
        "url": "https://www.suse.com/security/cve/CVE-2015-7576/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2015-7577 page",
        "url": "https://www.suse.com/security/cve/CVE-2015-7577/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2015-7578 page",
        "url": "https://www.suse.com/security/cve/CVE-2015-7578/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2015-7579 page",
        "url": "https://www.suse.com/security/cve/CVE-2015-7579/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2015-7580 page",
        "url": "https://www.suse.com/security/cve/CVE-2015-7580/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2015-7581 page",
        "url": "https://www.suse.com/security/cve/CVE-2015-7581/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2016-0751 page",
        "url": "https://www.suse.com/security/cve/CVE-2016-0751/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2016-0752 page",
        "url": "https://www.suse.com/security/cve/CVE-2016-0752/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2016-0753 page",
        "url": "https://www.suse.com/security/cve/CVE-2016-0753/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2016-2098 page",
        "url": "https://www.suse.com/security/cve/CVE-2016-2098/"
      }
    ],
    "title": "Security update for portus",
    "tracking": {
      "current_release_date": "2016-04-25T14:28:51Z",
      "generator": {
        "date": "2016-04-25T14:28:51Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2016:1146-1",
      "initial_release_date": "2016-04-25T14:28:51Z",
      "revision_history": [
        {
          "date": "2016-04-25T14:28:51Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "portus-2.0.3-2.4.x86_64",
                "product": {
                  "name": "portus-2.0.3-2.4.x86_64",
                  "product_id": "portus-2.0.3-2.4.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Containers 12",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Containers 12",
                  "product_id": "SUSE Linux Enterprise Module for Containers 12",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-containers:12"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "portus-2.0.3-2.4.x86_64 as component of SUSE Linux Enterprise Module for Containers 12",
          "product_id": "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
        },
        "product_reference": "portus-2.0.3-2.4.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 12"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2015-7576",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2015-7576"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2015-7576",
          "url": "https://www.suse.com/security/cve/CVE-2015-7576"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 963329 for CVE-2015-7576",
          "url": "https://bugzilla.suse.com/963329"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 963563 for CVE-2015-7576",
          "url": "https://bugzilla.suse.com/963563"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 970715 for CVE-2015-7576",
          "url": "https://bugzilla.suse.com/970715"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2016-04-25T14:28:51Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2015-7576"
    },
    {
      "cve": "CVE-2015-7577",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2015-7577"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2015-7577",
          "url": "https://www.suse.com/security/cve/CVE-2015-7577"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 963330 for CVE-2015-7577",
          "url": "https://bugzilla.suse.com/963330"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 963604 for CVE-2015-7577",
          "url": "https://bugzilla.suse.com/963604"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2016-04-25T14:28:51Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2015-7577"
    },
    {
      "cve": "CVE-2015-7578",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2015-7578"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2015-7578",
          "url": "https://www.suse.com/security/cve/CVE-2015-7578"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 963326 for CVE-2015-7578",
          "url": "https://bugzilla.suse.com/963326"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2016-04-25T14:28:51Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2015-7578"
    },
    {
      "cve": "CVE-2015-7579",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2015-7579"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2015-7579",
          "url": "https://www.suse.com/security/cve/CVE-2015-7579"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 963326 for CVE-2015-7579",
          "url": "https://bugzilla.suse.com/963326"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 963327 for CVE-2015-7579",
          "url": "https://bugzilla.suse.com/963327"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 963328 for CVE-2015-7579",
          "url": "https://bugzilla.suse.com/963328"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2016-04-25T14:28:51Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2015-7579"
    },
    {
      "cve": "CVE-2015-7580",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2015-7580"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2015-7580",
          "url": "https://www.suse.com/security/cve/CVE-2015-7580"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 963326 for CVE-2015-7580",
          "url": "https://bugzilla.suse.com/963326"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 963327 for CVE-2015-7580",
          "url": "https://bugzilla.suse.com/963327"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 963328 for CVE-2015-7580",
          "url": "https://bugzilla.suse.com/963328"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2016-04-25T14:28:51Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2015-7580"
    },
    {
      "cve": "CVE-2015-7581",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2015-7581"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in Ruby on Rails 4.x before 4.2.5.1 and 5.x before 5.0.0.beta1.1 allows remote attackers to cause a denial of service (superfluous caching and memory consumption) by leveraging an application\u0027s use of a wildcard controller route.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2015-7581",
          "url": "https://www.suse.com/security/cve/CVE-2015-7581"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 963335 for CVE-2015-7581",
          "url": "https://bugzilla.suse.com/963335"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2016-04-25T14:28:51Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2015-7581"
    },
    {
      "cve": "CVE-2016-0751",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2016-0751"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2016-0751",
          "url": "https://www.suse.com/security/cve/CVE-2016-0751"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 963331 for CVE-2016-0751",
          "url": "https://bugzilla.suse.com/963331"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 963627 for CVE-2016-0751",
          "url": "https://bugzilla.suse.com/963627"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2016-04-25T14:28:51Z",
          "details": "low"
        }
      ],
      "title": "CVE-2016-0751"
    },
    {
      "cve": "CVE-2016-0752",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2016-0752"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application\u0027s unrestricted use of the render method and providing a .. (dot dot) in a pathname.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2016-0752",
          "url": "https://www.suse.com/security/cve/CVE-2016-0752"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 963332 for CVE-2016-0752",
          "url": "https://bugzilla.suse.com/963332"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 963608 for CVE-2016-0752",
          "url": "https://bugzilla.suse.com/963608"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 968850 for CVE-2016-0752",
          "url": "https://bugzilla.suse.com/968850"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2016-04-25T14:28:51Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2016-0752"
    },
    {
      "cve": "CVE-2016-0753",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2016-0753"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2016-0753",
          "url": "https://www.suse.com/security/cve/CVE-2016-0753"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 963334 for CVE-2016-0753",
          "url": "https://bugzilla.suse.com/963334"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 963617 for CVE-2016-0753",
          "url": "https://bugzilla.suse.com/963617"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2016-04-25T14:28:51Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2016-0753"
    },
    {
      "cve": "CVE-2016-2098",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2016-2098"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application\u0027s unrestricted use of the render method.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2016-2098",
          "url": "https://www.suse.com/security/cve/CVE-2016-2098"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 968849 for CVE-2016-2098",
          "url": "https://bugzilla.suse.com/968849"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 969943 for CVE-2016-2098",
          "url": "https://bugzilla.suse.com/969943"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 993313 for CVE-2016-2098",
          "url": "https://bugzilla.suse.com/993313"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          },
          "products": [
            "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2016-04-25T14:28:51Z",
          "details": "important"
        }
      ],
      "title": "CVE-2016-2098"
    }
  ]
}

WID-SEC-W-2025-1085

Vulnerability from csaf_certbund - Published: 2016-01-25 23:00 - Updated: 2025-05-18 22:00

Summary

Ruby on Rails: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Ruby on Rails ist ein in der Programmiersprache Ruby geschriebenes und quelloffenes Web Application Framework.

Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Ruby on Rails ausnutzen, um Sicherheitsfunktionen zu umgehen, um Dateien zu manipulieren oder um einen Denial of Service Zustand herbeizuführen.

Betroffene Betriebssysteme: - Linux - UNIX - Windows

CVE-2015-7576

Affected products

Known affected 7 products

Product	Identifier	Version
SUSE Linux Enterprise Server SUSE	`cpe:/o:suse:linux_enterprise_server:suseenterprisehighavailabilityextension11sp3`	—
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source Ruby on Rails <4.2.5.1 Open Source / Ruby on Rails		<4.2.5.1
Open Source Ruby on Rails <3.2.22.1 Open Source / Ruby on Rails		<3.2.22.1
Open Source Ruby on Rails <4.1.14.1 Open Source / Ruby on Rails		<4.1.14.1

CVE-2015-7577

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source Ruby on Rails <4.2.5.1 Open Source / Ruby on Rails		<4.2.5.1
Open Source Ruby on Rails <3.2.22.1 Open Source / Ruby on Rails		<3.2.22.1
Open Source Ruby on Rails <4.1.14.1 Open Source / Ruby on Rails		<4.1.14.1

CVE-2015-7578

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source Ruby on Rails <4.2.5.1 Open Source / Ruby on Rails		<4.2.5.1
Open Source Ruby on Rails <3.2.22.1 Open Source / Ruby on Rails		<3.2.22.1
Open Source Ruby on Rails <4.1.14.1 Open Source / Ruby on Rails		<4.1.14.1

CVE-2015-7579

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source Ruby on Rails <4.2.5.1 Open Source / Ruby on Rails		<4.2.5.1
Open Source Ruby on Rails <3.2.22.1 Open Source / Ruby on Rails		<3.2.22.1
Open Source Ruby on Rails <4.1.14.1 Open Source / Ruby on Rails		<4.1.14.1

CVE-2015-7580

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source Ruby on Rails <4.2.5.1 Open Source / Ruby on Rails		<4.2.5.1
Open Source Ruby on Rails <3.2.22.1 Open Source / Ruby on Rails		<3.2.22.1
Open Source Ruby on Rails <4.1.14.1 Open Source / Ruby on Rails		<4.1.14.1

CVE-2015-7581

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source Ruby on Rails <4.2.5.1 Open Source / Ruby on Rails		<4.2.5.1
Open Source Ruby on Rails <3.2.22.1 Open Source / Ruby on Rails		<3.2.22.1
Open Source Ruby on Rails <4.1.14.1 Open Source / Ruby on Rails		<4.1.14.1

CVE-2016-0751

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source Ruby on Rails <4.2.5.1 Open Source / Ruby on Rails		<4.2.5.1
Open Source Ruby on Rails <3.2.22.1 Open Source / Ruby on Rails		<3.2.22.1
Open Source Ruby on Rails <4.1.14.1 Open Source / Ruby on Rails		<4.1.14.1

CVE-2016-0752

Affected products

Known affected 9 products

Product	Identifier	Version
SUSE Linux Enterprise Server SUSE	`cpe:/o:suse:linux_enterprise_server:suseenterprisehighavailabilityextension11sp3`	—
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux 6 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:6`	6
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source Ruby on Rails <4.2.5.1 Open Source / Ruby on Rails		<4.2.5.1
Red Hat Enterprise Linux 7 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:7`	7
Open Source Ruby on Rails <3.2.22.1 Open Source / Ruby on Rails		<3.2.22.1
Open Source Ruby on Rails <4.1.14.1 Open Source / Ruby on Rails		<4.1.14.1

CVE-2016-0753

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source Ruby on Rails <4.2.5.1 Open Source / Ruby on Rails		<4.2.5.1
Open Source Ruby on Rails <3.2.22.1 Open Source / Ruby on Rails		<3.2.22.1
Open Source Ruby on Rails <4.1.14.1 Open Source / Ruby on Rails		<4.1.14.1

References

27 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
http://weblog.rubyonrails.org/2016/1/25/Rails-5-0…	external
http://www.debian.org/security/2016/dsa-3464	external
https://www.suse.com/support/update/announcement/…	external
https://www.suse.com/support/update/announcement/…	external
https://www.suse.com/support/update/announcement/…	external
https://www.suse.com/support/update/announcement/…	external
https://www.suse.com/support/update/announcement/…	external
https://www.suse.com/support/update/announcement/…	external
https://rhn.redhat.com/errata/RHSA-2016-0296.html	external
https://www.suse.com/support/update/announcement/…	external
https://www.suse.com/support/update/announcement/…	external
https://www.suse.com/support/update/announcement/…	external
https://www.suse.com/support/update/announcement/…	external
https://www.suse.com/support/update/announcement/…	external
https://www.suse.com/support/update/announcement/…	external
https://www.suse.com/support/update/announcement/…	external
https://www.debian.org/security/2016/dsa-3509	external
https://rhn.redhat.com/errata/RHSA-2016-0454.html	external
https://www.suse.com/support/update/announcement/…	external
https://www.suse.com/support/update/announcement/…	external
https://www.suse.com/support/update/announcement/…	external
https://lists.opensuse.org/opensuse-security-anno…	external
https://cxsecurity.com/issue/WLB-2016100137	external
https://www.suse.com/support/update/announcement/…	external
https://lists.opensuse.org/archives/list/security…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Ruby on Rails ist ein in der Programmiersprache Ruby geschriebenes und quelloffenes Web Application Framework.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Ruby on Rails ausnutzen, um Sicherheitsfunktionen zu umgehen, um Dateien zu manipulieren oder um einen Denial of Service Zustand herbeizuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-1085 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2016/wid-sec-w-2025-1085.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-1085 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1085"
      },
      {
        "category": "external",
        "summary": "Weblog Rubyonrails vom 2016-01-25",
        "url": "http://weblog.rubyonrails.org/2016/1/25/Rails-5-0-0-beta1-1-4-2-5-1-4-1-14-1-3-2-22-1-and-rails-html-sanitizer-1-0-3-have-been-released/"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-3464 vom 2016-02-01",
        "url": "http://www.debian.org/security/2016/dsa-3464"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2016:0391-1 vom 2016-02-09",
        "url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160391-1.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2016:0432-1 vom 2016-02-12",
        "url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160432-1.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2016:0435-1 vom 2016-02-12",
        "url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160435-1.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2016:0457-1 vom 2016-02-15",
        "url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160457-1.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2016:0458-1 vom 2016-02-15",
        "url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160458-1.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2016:0456-1 vom 2016-02-15",
        "url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160456-1.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2016:0296 vom 2016-02-25",
        "url": "https://rhn.redhat.com/errata/RHSA-2016-0296.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2016:0600-1 vom 2016-02-26",
        "url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160600-1.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2016:0598-1 vom 2016-02-26",
        "url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160598-1.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2016:0597-1 vom 2016-02-26",
        "url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160597-1.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2016:0599-1 vom 2016-02-26",
        "url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160599-1.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2016:0619-1 vom 2016-03-01",
        "url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160619-1.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2016:0623-1 vom 2016-03-01",
        "url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160623-1.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2016:0618-1 vom 2016-03-01",
        "url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160618-1.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-3509 vom 2016-03-09",
        "url": "https://www.debian.org/security/2016/dsa-3509"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2016:0454 vom 2016-03-16",
        "url": "https://rhn.redhat.com/errata/RHSA-2016-0454.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2016:0857-1 vom 2016-03-23",
        "url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160857-1.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2016:0858-1 vom 2016-03-23",
        "url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160858-1.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2016:0968-1 vom 2016-04-07",
        "url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160968-1.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2016:1146-1 vom 2016-04-25",
        "url": "https://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
      },
      {
        "category": "external",
        "summary": "CXSecurity #WLB-2016100137 vom 2016-10-23",
        "url": "https://cxsecurity.com/issue/WLB-2016100137"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2017:0475-1 vom 2017-02-16",
        "url": "https://www.suse.com/support/update/announcement/2017/suse-su-20170475-1.html"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2025:15125-1 vom 2025-05-18",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4QQONV4QKIWHRILZMO26H7FGDPO7KJAF/"
      }
    ],
    "source_lang": "en-US",
    "title": "Ruby on Rails: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-05-18T22:00:00.000+00:00",
      "generator": {
        "date": "2025-05-19T08:27:28.505+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.12"
        }
      },
      "id": "WID-SEC-W-2025-1085",
      "initial_release_date": "2016-01-25T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2016-01-25T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initial Release"
        },
        {
          "date": "2016-01-25T23:00:00.000+00:00",
          "number": "2",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2016-01-31T23:00:00.000+00:00",
          "number": "3",
          "summary": "New remediations available"
        },
        {
          "date": "2016-01-31T23:00:00.000+00:00",
          "number": "4",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2016-02-09T23:00:00.000+00:00",
          "number": "5",
          "summary": "New remediations available"
        },
        {
          "date": "2016-02-09T23:00:00.000+00:00",
          "number": "6",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2016-02-11T23:00:00.000+00:00",
          "number": "7",
          "summary": "New remediations available"
        },
        {
          "date": "2016-02-14T23:00:00.000+00:00",
          "number": "8",
          "summary": "New remediations available"
        },
        {
          "date": "2016-02-15T23:00:00.000+00:00",
          "number": "9",
          "summary": "New remediations available"
        },
        {
          "date": "2016-02-25T23:00:00.000+00:00",
          "number": "10",
          "summary": "New remediations available"
        },
        {
          "date": "2016-02-25T23:00:00.000+00:00",
          "number": "11",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2016-02-28T23:00:00.000+00:00",
          "number": "12",
          "summary": "New remediations available"
        },
        {
          "date": "2016-03-01T23:00:00.000+00:00",
          "number": "13",
          "summary": "New remediations available"
        },
        {
          "date": "2016-03-09T23:00:00.000+00:00",
          "number": "14",
          "summary": "New remediations available"
        },
        {
          "date": "2016-03-15T23:00:00.000+00:00",
          "number": "15",
          "summary": "New remediations available"
        },
        {
          "date": "2016-03-23T23:00:00.000+00:00",
          "number": "16",
          "summary": "New remediations available"
        },
        {
          "date": "2016-04-07T22:00:00.000+00:00",
          "number": "17",
          "summary": "New remediations available"
        },
        {
          "date": "2016-04-25T22:00:00.000+00:00",
          "number": "18",
          "summary": "New remediations available"
        },
        {
          "date": "2016-04-25T22:00:00.000+00:00",
          "number": "19",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2017-02-16T23:00:00.000+00:00",
          "number": "20",
          "summary": "New remediations available"
        },
        {
          "date": "2025-05-18T22:00:00.000+00:00",
          "number": "21",
          "summary": "Neue Updates von openSUSE aufgenommen"
        }
      ],
      "status": "final",
      "version": "21"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c4.2.5.1",
                "product": {
                  "name": "Open Source Ruby on Rails \u003c4.2.5.1",
                  "product_id": "T006926"
                }
              },
              {
                "category": "product_version",
                "name": "4.2.5.1",
                "product": {
                  "name": "Open Source Ruby on Rails 4.2.5.1",
                  "product_id": "T006926-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:rubyonrails:ruby_on_rails:4.2.5.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c4.1.14.1",
                "product": {
                  "name": "Open Source Ruby on Rails \u003c4.1.14.1",
                  "product_id": "T006927"
                }
              },
              {
                "category": "product_version",
                "name": "4.1.14.1",
                "product": {
                  "name": "Open Source Ruby on Rails 4.1.14.1",
                  "product_id": "T006927-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:rubyonrails:ruby_on_rails:4.1.14.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c3.2.22.1",
                "product": {
                  "name": "Open Source Ruby on Rails \u003c3.2.22.1",
                  "product_id": "T006928"
                }
              },
              {
                "category": "product_version",
                "name": "3.2.22.1",
                "product": {
                  "name": "Open Source Ruby on Rails 3.2.22.1",
                  "product_id": "T006928-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:rubyonrails:ruby_on_rails:3.2.22.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Ruby on Rails"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "6",
                "product": {
                  "name": "Red Hat Enterprise Linux 6",
                  "product_id": "120737",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:6"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7",
                "product": {
                  "name": "Red Hat Enterprise Linux 7",
                  "product_id": "T006054",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:7"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Enterprise Linux"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "SUSE Linux Enterprise Server",
            "product": {
              "name": "SUSE Linux Enterprise Server",
              "product_id": "T003320",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:linux_enterprise_server:suseenterprisehighavailabilityextension11sp3"
              }
            }
          },
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T027843",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2015-7576",
      "product_status": {
        "known_affected": [
          "T003320",
          "2951",
          "T002207",
          "T027843",
          "T006926",
          "T006928",
          "T006927"
        ]
      },
      "release_date": "2016-01-25T23:00:00.000+00:00",
      "title": "CVE-2015-7576"
    },
    {
      "cve": "CVE-2015-7577",
      "product_status": {
        "known_affected": [
          "T002207",
          "T027843",
          "T006926",
          "T006928",
          "T006927"
        ]
      },
      "release_date": "2016-01-25T23:00:00.000+00:00",
      "title": "CVE-2015-7577"
    },
    {
      "cve": "CVE-2015-7578",
      "product_status": {
        "known_affected": [
          "T002207",
          "T027843",
          "T006926",
          "T006928",
          "T006927"
        ]
      },
      "release_date": "2016-01-25T23:00:00.000+00:00",
      "title": "CVE-2015-7578"
    },
    {
      "cve": "CVE-2015-7579",
      "product_status": {
        "known_affected": [
          "T002207",
          "T027843",
          "T006926",
          "T006928",
          "T006927"
        ]
      },
      "release_date": "2016-01-25T23:00:00.000+00:00",
      "title": "CVE-2015-7579"
    },
    {
      "cve": "CVE-2015-7580",
      "product_status": {
        "known_affected": [
          "T002207",
          "T027843",
          "T006926",
          "T006928",
          "T006927"
        ]
      },
      "release_date": "2016-01-25T23:00:00.000+00:00",
      "title": "CVE-2015-7580"
    },
    {
      "cve": "CVE-2015-7581",
      "product_status": {
        "known_affected": [
          "T002207",
          "T027843",
          "T006926",
          "T006928",
          "T006927"
        ]
      },
      "release_date": "2016-01-25T23:00:00.000+00:00",
      "title": "CVE-2015-7581"
    },
    {
      "cve": "CVE-2016-0751",
      "product_status": {
        "known_affected": [
          "T002207",
          "T027843",
          "T006926",
          "T006928",
          "T006927"
        ]
      },
      "release_date": "2016-01-25T23:00:00.000+00:00",
      "title": "CVE-2016-0751"
    },
    {
      "cve": "CVE-2016-0752",
      "product_status": {
        "known_affected": [
          "T003320",
          "2951",
          "T002207",
          "120737",
          "T027843",
          "T006926",
          "T006054",
          "T006928",
          "T006927"
        ]
      },
      "release_date": "2016-01-25T23:00:00.000+00:00",
      "title": "CVE-2016-0752"
    },
    {
      "cve": "CVE-2016-0753",
      "product_status": {
        "known_affected": [
          "T002207",
          "T027843",
          "T006926",
          "T006928",
          "T006927"
        ]
      },
      "release_date": "2016-01-25T23:00:00.000+00:00",
      "title": "CVE-2016-0753"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2015-7581 (GCVE-0-2015-7581)

SUSE-SU-2016:1146-1

WID-SEC-W-2025-1085

Tags

Sightings

Nomenclature