Rubyonrails: >> Rails >> 6.0.0 Security Vulnerabilities
A denial of service vulnerability exists in Rails <6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production.
CVSS Score
6.5
EPSS Score
0.007
Published
2020-07-02
A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.
CVSS Score
9.8
EPSS Score
0.901
Published
2020-06-19
A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.
CVSS Score
6.5
EPSS Score
0.004
Published
2020-06-19
A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits.
CVSS Score
7.5
EPSS Score
0.015
Published
2020-06-19
A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.
CVSS Score
7.5
EPSS Score
0.074
Published
2020-06-19
A remote code execution vulnerability in development mode Rails <5.2.2.1, <6.0.0.beta3 can allow an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit.
CVSS Score
9.8
EPSS Score
0.937
Published
2019-03-27
Page 3