GHSA-67j6-xv27-w6ww

Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-67j6-xv27-w6ww/GHSA-67j6-xv27-w6ww.json

Aliases

CVE-2015-3224

Published

2017-10-24T18:33:36Z

Modified

2023-03-15T00:04:04.459254Z

Details

request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request.

References

https://nvd.nist.gov/vuln/detail/CVE-2015-3224
https://github.com/rails/web-console
https://github.com/rails/web-console/blob/master/CHANGELOG.markdown
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160881.html
http://openwall.com/lists/oss-security/2015/06/16/18

Affected packages

RubyGems / web-console

web-console

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0

Fixed

2.1.3

Affected versions

0.*

0.1.0

0.2.0

0.3.0

0.4.0

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

2.*

2.0.0

2.0.0.beta1

2.0.0.beta2

2.0.0.beta3

2.0.0.beta4

2.1.0

2.1.1

2.1.2