Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2014-2538
Vulnerability from gsd - Updated: 2013-07-09 00:00Details
Cross-site scripting (XSS) vulnerability in lib/rack/ssl.rb in the rack-ssl gem before 1.4.0 for Ruby allows remote attackers to inject arbitrary web script or HTML via a URI, which might not be properly handled by third-party adapters such as JRuby-Rack.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2014-2538",
"description": "Cross-site scripting (XSS) vulnerability in lib/rack/ssl.rb in the rack-ssl gem before 1.4.0 for Ruby allows remote attackers to inject arbitrary web script or HTML via a URI, which might not be properly handled by third-party adapters such as JRuby-Rack.",
"id": "GSD-2014-2538",
"references": [
"https://www.suse.com/security/cve/CVE-2014-2538.html",
"https://advisories.mageia.org/CVE-2014-2538.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rack-ssl",
"purl": "pkg:gem/rack-ssl"
}
}
],
"aliases": [
"CVE-2014-2538",
"OSVDB-104734"
],
"details": "Cross-site scripting (XSS) vulnerability in lib/rack/ssl.rb in the rack-ssl gem before 1.4.0 for Ruby allows remote attackers to inject arbitrary web script or HTML via a URI, which might not be properly handled by third-party adapters such as JRuby-Rack.",
"id": "GSD-2014-2538",
"modified": "2013-07-09T00:00:00.000Z",
"published": "2013-07-09T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2538"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 4.3,
"type": "CVSS_V2"
}
],
"summary": "CVE-2014-2538 rubygem rack-ssl: URL error display XSS"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-2538",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in lib/rack/ssl.rb in the rack-ssl gem before 1.4.0 for Ruby allows remote attackers to inject arbitrary web script or HTML via a URI, which might not be properly handled by third-party adapters such as JRuby-Rack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20140319 Re: CVE Request: rack-ssl rubygem: XSS in error page",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2014/03/19/20"
},
{
"name": "https://github.com/josh/rack-ssl/commit/9d7d7300b907e496db68d89d07fbc2e0df0b487b",
"refsource": "CONFIRM",
"url": "https://github.com/josh/rack-ssl/commit/9d7d7300b907e496db68d89d07fbc2e0df0b487b"
},
{
"name": "66314",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/66314"
},
{
"name": "openSUSE-SU-2014:0515",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2014-04/msg00032.html"
},
{
"name": "57466",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/57466"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2014-2538",
"cvss_v2": 4.3,
"date": "2013-07-09",
"description": "Cross-site scripting (XSS) vulnerability in lib/rack/ssl.rb in the rack-ssl gem before 1.4.0 for Ruby allows remote attackers to inject arbitrary web script or HTML via a URI, which might not be properly handled by third-party adapters such as JRuby-Rack.",
"gem": "rack-ssl",
"osvdb": 104734,
"patched_versions": [
"\u003e= 1.3.4"
],
"title": "CVE-2014-2538 rubygem rack-ssl: URL error display XSS",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2538"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c1.3.4",
"affected_versions": "All versions before 1.3.4",
"credit": "Xavier Shay",
"cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-79",
"CWE-937"
],
"date": "2015-10-08",
"description": "Some adapters (i.e. jruby-rack) will pass through bad URIs, then display the resulting exception. This creates an attack vector for XSS attacks.",
"fixed_versions": [
"1.3.4"
],
"identifier": "CVE-2014-2538",
"identifiers": [
"CVE-2014-2538"
],
"not_impacted": "All versions starting from 1.3.4",
"package_slug": "gem/rack-ssl",
"pubdate": "2014-03-25",
"solution": "Upgrade to version 1.3.4 or above.",
"title": "Exception disclosure on malformed URI",
"urls": [
"https://github.com/josh/rack-ssl/commit/9d7d7300b907e496db68d89d07fbc2e0df0b487b",
"https://github.com/josh/rack-ssl/pull/34"
],
"uuid": "a8d432b1-4716-421f-8647-123db9c759f1"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:joshua_peek:rack-ssl:1.3.1:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:joshua_peek:rack-ssl:1.2.0:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:joshua_peek:rack-ssl:1.0.0:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:joshua_peek:rack-ssl:1.1.0:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:joshua_peek:rack-ssl:1.3.0:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:joshua_peek:rack-ssl:1.3.2:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:joshua_peek:rack-ssl:1.3.3:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:joshua_peek:rack-ssl:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndIncluding": "1.3.4",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-2538"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in lib/rack/ssl.rb in the rack-ssl gem before 1.4.0 for Ruby allows remote attackers to inject arbitrary web script or HTML via a URI, which might not be properly handled by third-party adapters such as JRuby-Rack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/josh/rack-ssl/commit/9d7d7300b907e496db68d89d07fbc2e0df0b487b",
"refsource": "CONFIRM",
"tags": [
"Patch"
],
"url": "https://github.com/josh/rack-ssl/commit/9d7d7300b907e496db68d89d07fbc2e0df0b487b"
},
{
"name": "[oss-security] 20140319 Re: CVE Request: rack-ssl rubygem: XSS in error page",
"refsource": "MLIST",
"tags": [],
"url": "http://www.openwall.com/lists/oss-security/2014/03/19/20"
},
{
"name": "57466",
"refsource": "SECUNIA",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/57466"
},
{
"name": "openSUSE-SU-2014:0515",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-updates/2014-04/msg00032.html"
},
{
"name": "66314",
"refsource": "BID",
"tags": [],
"url": "http://www.securityfocus.com/bid/66314"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
}
},
"lastModifiedDate": "2015-10-08T14:44Z",
"publishedDate": "2014-03-25T18:21Z"
}
}
}