PT-2016-5015 · Ruby+1 · Ruby On Rails+1

Rageltman

Published

2016-03-09

Updated

2024-06-15

CVE-2016-2098

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Ruby on Rails versions 3.2.x through 3.2.22.1 Ruby on Rails versions 4.0.x through 4.1.14.1 Ruby on Rails versions 4.2.x through 4.2.5.1

Description The issue allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.

Recommendations For versions 3.2.x through 3.2.22.1, update to version 3.2.22.2 or later. For versions 4.0.x through 4.1.14.1, update to version 4.1.14.2 or later. For versions 4.2.x through 4.2.5.1, update to version 4.2.5.2 or later.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2016-2098

DLA-604-1

DSA-3509-1

GHSA-78RC-8C29-P45G

GHSA-HX46-VWMX-WX95

OPENSUSE-SU-2016_0790-1

OPENSUSE-SU-2016_0835-1

OPENSUSE-SU-2024:10057-1

OPENSUSE-SU-2024:10332-1

RHSA-2016:0454

RHSA-2016:0455

RHSA-2016:0456

SUSE-SU-2016:0854-1

SUSE-SU-2016:0867-1

SUSE-SU-2016:0967-1

SUSE-SU-2016:1146-1

SUSE-SU-2016_0967-1

SUSE-SU-2016_1146-1

SUSE-SU-2017:2716-1

Affected Products

Ruby On Rails

Suse

PT-2016-5015 · Ruby+1 · Ruby On Rails+1

CVE-2016-2098

Weakness Enumeration

Related Identifiers

Affected Products

References · 69