GHSA-67j6-xv27-w6ww

Source
https://github.com/advisories/GHSA-67j6-xv27-w6ww
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-67j6-xv27-w6ww/GHSA-67j6-xv27-w6ww.json
Aliases
  • CVE-2015-3224
Published
2017-10-24T18:33:36Z
Modified
2023-11-08T03:57:53.522295Z
Details

request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request.

References

Affected packages

RubyGems / web-console

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0The exact introduced commit is unknown
Fixed
2.1.3

Affected versions

0.*

0.1.0
0.2.0
0.3.0
0.4.0

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.0.4

2.*

2.0.0.beta1
2.0.0.beta2
2.0.0.beta3
2.0.0.beta4
2.0.0
2.1.0
2.1.1
2.1.2