What Are You Looking For?

Sign Up

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-2655-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
May 12, 2021                                https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package        : rails
Version        : 2:4.2.7.1-1+deb9u5
CVE ID         : CVE-2021-22885 CVE-2021-22904
Debian Bug     : 988214

CVE-2021-22885

    There is a possible information disclosure/unintended method
    execution vulnerability in Action Pack when using the
    `redirect_to` or `polymorphic_url` helper with untrusted user
    input.

CVE-2021-22904

    There is a possible DoS vulnerability in the Token Authentication
    logic in Action Controller. Impacted code uses
    `authenticate_or_request_with_http_token` or
    `authenticate_with_http_token` for request authentication.

For Debian 9 stretch, these problems have been fixed in version
2:4.2.7.1-1+deb9u5.

We recommend that you upgrade your rails packages.

For the detailed security status of rails please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/rails

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Debian LTS: DLA-2655-1: rails security update

May 11, 2021
CVE-2021-22885 There is a possible information disclosure/unintended method execution vulnerability in Action Pack when using the

Summary

There is a possible information disclosure/unintended method
execution vulnerability in Action Pack when using the
`redirect_to` or `polymorphic_url` helper with untrusted user
input.

CVE-2021-22904

There is a possible DoS vulnerability in the Token Authentication
logic in Action Controller. Impacted code uses
`authenticate_or_request_with_http_token` or
`authenticate_with_http_token` for request authentication.

For Debian 9 stretch, these problems have been fixed in version
2:4.2.7.1-1+deb9u5.

We recommend that you upgrade your rails packages.

For the detailed security status of rails please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/rails

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Severity
Package : rails
Version : 2:4.2.7.1-1+deb9u5
CVE ID : CVE-2021-22885 CVE-2021-22904
Debian Bug : 988214

Related News

From Heartbleed to Now: Evolving Threats in OpenSSL and How to Guard Against Them

Nov 17, 2023

Kinsing Hackers Exploit Apache ActiveMQ Vulnerability to Deploy Linux Rootkits

Nov 25, 2023

LockBit Ransomware Exploiting Critical Citrix Bleed Vulnerability to Break In

Nov 25, 2023

Severe Chromium Bug Threatens Sensitive Data, System Availability

Nov 13, 2023

News

Advisories

HOWTOs

Features

Empowering MSPs with Straightforward Linux Device Management
A Complete Guide to Torrenting Safely in 2024
Cloud Security Basics for Small Businesses
Scanning and Defending Networks with Nmap
CISA Issues Urgent Warning Over Active Exploitation of Looney Tunables glibc Bug

About Us

Powered By

Footer Logo