GHSA-v9v4-7jp6-8c73

Source

https://github.com/advisories/GHSA-v9v4-7jp6-8c73

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-v9v4-7jp6-8c73/GHSA-v9v4-7jp6-8c73.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-v9v4-7jp6-8c73

Aliases

CVE-2011-2197

Published

2017-10-24T18:33:38Z

Modified

2024-12-07T05:38:34.376477Z

Summary

rails Cross-site Scripting vulnerability

Details

The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method.

Database specific

{
    "nvd_published_at": "2011-06-30T15:55:01Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:57:17Z"
}

References

Affected packages

RubyGems / actionpack

Package

Name: actionpack
Purl: pkg:gem/actionpack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.3.12

Affected versions

2.*

2.0.0

2.0.1

2.0.2

2.0.4

2.0.5

2.1.0

2.1.1

2.1.2

2.2.2

2.2.3

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8.pre1

2.3.8

2.3.9.pre

2.3.9

2.3.10

2.3.11

Database specific

{
    "last_known_affected_version_range": "< 2.3.11"
}

RubyGems / actionpack

Package

Name: actionpack
Purl: pkg:gem/actionpack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.0.8

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4.rc1

3.0.4

3.0.5.rc1

3.0.5

3.0.6.rc1

3.0.6.rc2

3.0.6

3.0.7.rc1

3.0.7.rc2

3.0.7

3.0.8.rc1

3.0.8.rc2

3.0.8.rc4

Database specific

{
    "last_known_affected_version_range": "< 3.0.7"
}

RubyGems / activesupport

Package

Name: activesupport
Purl: pkg:gem/activesupport

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.3.12

Affected versions

2.*

2.0.0

2.0.1

2.0.2

2.0.4

2.0.5

2.1.0

2.1.1

2.1.2

2.2.2

2.2.3

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6.pre

2.3.6

2.3.7

2.3.8.pre1

2.3.8

2.3.9.pre

2.3.9

2.3.10

2.3.11

Database specific

{
    "last_known_affected_version_range": "< 2.3.11"
}

RubyGems / activesupport

Package

Name: activesupport
Purl: pkg:gem/activesupport

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.0.8

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4.rc1

3.0.4

3.0.5.rc1

3.0.5

3.0.6.rc1

3.0.6.rc2

3.0.6

3.0.7.rc1

3.0.7.rc2

3.0.7

3.0.8.rc1

3.0.8.rc2

3.0.8.rc4

Database specific

{
    "last_known_affected_version_range": "< 3.0.7"
}