Description

Ruby on Rails web applications that pass unverified user input to the render method in a controller or a view may be vulnerable to a code injection.

Remediation

All users running an affected release should either upgrade or use one of the workarounds immediately. A workaround to this issue is to not pass arbitrary user input to the render method. Instead, verify that data before passing it to the render method. Consult Web references for more information about this issue.

References

Possible remote code execution vulnerability in Action Pack.

Rails 4.2.5.2, 4.1.14.2 and 3.2.22.2 have been released!

Related Vulnerabilities

XWiki Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-29212)

WordPress Plugin PHP Everywhere Multiple Remote Code Execution Vulnerabilities (2.0.3)

Drupal Core 4.6.x Arbitrary Code Execution (4.6.0 - 4.6.6)

WordPress Plugin Gantry 4 Framework Remote Command Execution (4.1.3)

Ruby on Rails weak/known secret token

Severity

High

Classification

CVE-2016-2098 CWE-94 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Code Execution