Debian Jessie: DSA-3509-1 Critical: Rails Action Pack Security Issues
debian
March 9, 2016
Two vulnerabilities have been discovered in Rails, a web application framework written in Ruby
Topics Covered
Summary
Two vulnerabilities have been discovered in Rails, a web application
framework written in Ruby. Both vulnerabilities affect Action Pack, which
handles the web requests for Rails.
CVE-2016-2097
Crafted requests to Action View, one of the components of Action Pack,
might result in rendering files from arbitrary locations, including
files beyond the application's view directory. This vulnerability is
the result of an incomplete fix of CVE-2016-0752.
This bug was found by Jyoti Singh and Tobias Kraze from Makandra.
CVE-2016-2098
If a web applications does not properly sanitize user inputs, an
attacker might control the arguments of the render method in a
controller or a view, resulting in the possibility of executing
arbitrary ruby code.
This bug was found by Tobias Kraze from Makandra and joernchen of
Phenoelit.
For the stable distribution (jessie), these problems have been fixed in
version 2:4.1.8-1+deb8u2.
For the testing distribution (stretch), these proble...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: rails
CVE ID: CVE-2016-2097 CVE-2016-2098
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!