GHSA-cr3x-7m39-c6jq

Source

https://github.com/advisories/GHSA-cr3x-7m39-c6jq

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-cr3x-7m39-c6jq/GHSA-cr3x-7m39-c6jq.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-cr3x-7m39-c6jq

Aliases

Published

2020-07-07T16:34:27Z

Modified

2024-02-16T08:05:45.499862Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Remote code execution via user-provided local names in ActionView

Details

The is a code injection vulnerability in versions of Rails prior to 5.0.1 that would allow an attacker who controlled the locals argument of a render call to perform a RCE.

Database specific

{
    "nvd_published_at": "2020-07-02T19:15:00Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-94"
    ],
    "github_reviewed_at": "2020-07-07T15:44:56Z"
}

References

Affected packages

RubyGems / actionview

Package

Name: actionview
Purl: pkg:gem/actionview

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.2.11.3

Affected versions

4.*

4.1.0.beta1

4.1.0.beta2

4.1.0.rc1

4.1.0.rc2

4.1.0

4.1.1

4.1.2.rc1

4.1.2.rc2

4.1.2.rc3

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6.rc1

4.1.6.rc2

4.1.6

4.1.7

4.1.7.1

4.1.8

4.1.9.rc1

4.1.9

4.1.10.rc1

4.1.10.rc2

4.1.10.rc3

4.1.10.rc4

4.1.10

4.1.11

4.1.12.rc1

4.1.12

4.1.13.rc1

4.1.13

4.1.14.rc1

4.1.14.rc2

4.1.14

4.1.14.1

4.1.14.2

4.1.15.rc1

4.1.15

4.1.16.rc1

4.1.16

4.2.0.beta1

4.2.0.beta2

4.2.0.beta3

4.2.0.beta4

4.2.0.rc1

4.2.0.rc2

4.2.0.rc3

4.2.0

4.2.1.rc1

4.2.1.rc2

4.2.1.rc3

4.2.1.rc4

4.2.1

4.2.2

4.2.3.rc1

4.2.3

4.2.4.rc1

4.2.4

4.2.5.rc1

4.2.5.rc2

4.2.5

4.2.5.1

4.2.5.2

4.2.6.rc1

4.2.6

4.2.7.rc1

4.2.7

4.2.7.1

4.2.8.rc1

4.2.8

4.2.9.rc1

4.2.9.rc2

4.2.9

4.2.10.rc1

4.2.10

4.2.11

4.2.11.1

4.2.11.2

Database specific

last_known_affected_version_range

"<= 4.2.11.1"