Rubyonrails: >> Rails >> 2.0.0 Security Vulnerabilities
A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
CVSS Score
7.5
EPSS Score
0.008
Published
2023-02-09
Clockwork Web before 0.1.2, when Rails before 5.2 is used, allows CSRF.
CVSS Score
6.5
EPSS Score
0.002
Published
2023-02-02
A cross-site scripting vulnerability flaw was found in the auto_link function in Rails before version 3.0.6.
CVSS Score
6.1
EPSS Score
0.004
Published
2021-10-19
The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive regular expression. Impacted code uses `authenticate_or_request_with_http_token` or `authenticate_with_http_token` for request authentication.
CVSS Score
7.5
EPSS Score
0.054
Published
2021-06-11
The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE.
CVSS Score
8.8
EPSS Score
0.862
Published
2020-07-02
A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token.
CVSS Score
4.3
EPSS Score
0.004
Published
2020-07-02
A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.
CVSS Score
9.8
EPSS Score
0.91
Published
2020-06-19
A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.
CVSS Score
6.5
EPSS Score
0.006
Published
2020-06-19
A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits.
CVSS Score
7.5
EPSS Score
0.023
Published
2020-06-19
A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.
CVSS Score
7.5
EPSS Score
0.063
Published
2020-06-19
Page 1