GHSA-fjfg-q662-gm6j

Source

https://github.com/advisories/GHSA-fjfg-q662-gm6j

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-fjfg-q662-gm6j/GHSA-fjfg-q662-gm6j.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fjfg-q662-gm6j

Aliases

CVE-2007-5379

Published

2017-10-24T18:33:38Z

Modified

2024-11-28T05:40:13.221685Z

Summary

Moderate severity vulnerability that affects rails

Details

Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.fromxml (Hash#fromxml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file.

Database specific

{
    "nvd_published_at": "2007-10-19T23:17:00Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:34:46Z"
}

References

Affected packages

RubyGems / rails

Package

Name: rails
Purl: pkg:gem/rails

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.5

Affected versions

0.*

0.8.0

0.8.5

0.9.0

0.9.1

0.9.2

0.9.3

0.9.4

0.9.4.1

0.9.5

0.10.0

0.10.1

0.11.0

0.11.1

0.12.0

0.12.1

0.13.0

0.13.1

0.14.1

0.14.2

0.14.3

0.14.4

1.*

1.0.0

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

Database specific

{
    "last_known_affected_version_range": "< 1.2.4"
}