GHSA-67j6-xv27-w6ww

Source

https://github.com/advisories/GHSA-67j6-xv27-w6ww

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-67j6-xv27-w6ww/GHSA-67j6-xv27-w6ww.json

Aliases

CVE-2015-3224

Published

2017-10-24T18:33:36Z

Modified

2023-11-08T03:57:53.522295Z

Details

request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request.

References

https://nvd.nist.gov/vuln/detail/CVE-2015-3224
https://github.com/rails/web-console
https://github.com/rails/web-console/blob/master/CHANGELOG.markdown
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/web-console/CVE-2015-3224.yml
https://groups.google.com/forum/#!topic/ruby-security-ann/lzmz9_ijUFw
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160881.html
http://openwall.com/lists/oss-security/2015/06/16/18

Affected packages

RubyGems / web-console

Package

Name: web-console

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

2.1.3

Affected versions

0.*

0.1.0

0.2.0

0.3.0

0.4.0

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

2.*

2.0.0.beta1

2.0.0.beta2

2.0.0.beta3

2.0.0.beta4

2.0.0

2.1.0

2.1.1

2.1.2