Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.

Multiple vulnerabilities have been discovered in ruby-actionpack-3.2, a web-flow and rendering framework and part of Rails :

CVE-2015-7576

A flaw was found in the way the Action Controller component compared user names and passwords when performing HTTP basic authentication.
Time taken to compare strings could differ depending on input, possibly allowing a remote attacker to determine valid user names and passwords using a timing attack.

CVE-2016-0751

A flaw was found in the way the Action Pack component performed MIME type lookups. Since queries were cached in a global cache of MIME types, an attacker could use this flaw to grow the cache indefinitely, potentially resulting in a denial of service.

CVE-2016-0752

A directory traversal flaw was found in the way the Action View component searched for templates for rendering. If an application passed untrusted input to the 'render' method, a remote, unauthenticated attacker could use this flaw to render unexpected files and, possibly, execute arbitrary code.

CVE-2016-2097

Crafted requests to Action View might result in rendering files from arbitrary locations, including files beyond the application's view directory. This vulnerability is the result of an incomplete fix of CVE-2016-0752. This bug was found by Jyoti Singh and Tobias Kraze from Makandra.

CVE-2016-2098

If a web applications does not properly sanitize user inputs, an attacker might control the arguments of the render method in a controller or a view, resulting in the possibility of executing arbitrary ruby code. This bug was found by Tobias Kraze from Makandra and joernchen of Phenoelit.

CVE-2016-6316

Andrew Carpenter of Critical Juncture discovered a cross-site scripting vulnerability affecting Action View. Text declared as 'HTML safe' will not have quotes escaped when used as attribute values in tag helpers.

For Debian 7 'Wheezy', these problems have been fixed in version 3.2.6-6+deb7u3.

We recommend that you upgrade your ruby-actionpack-3.2 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for rubygem-actionpack-3_2 fixes the following issues :

  - CVE-2016-2097: rubygem-actionview: Possible Information     Leak Vulnerability in Action View. (boo#968850)

  - CVE-2016-2098: rubygem-actionpack: Possible remote code     execution vulnerability in Action Pack (boo#968849)

- Fix rails-html-sanitizer v1.0.3 compatibility. * Fix     code injection vulnerability (CVE-2016-2098).

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for rubygem-actionview-4_2 fixes the following issues :

  - CVE-2016-2098: rubygem-actionpack: Possible remote code     execution vulnerability in Action Pack (boo#968849)

Two vulnerabilities have been discovered in Rails, a web application framework written in Ruby. Both vulnerabilities affect Action Pack, which handles the web requests for Rails.

  - CVE-2016-2097     Crafted requests to Action View, one of the components     of Action Pack, might result in rendering files from     arbitrary locations, including files beyond the     application's view directory. This vulnerability is the     result of an incomplete fix of CVE-2016-0752. This bug     was found by Jyoti Singh and Tobias Kraze from Makandra.

  - CVE-2016-2098     If a web applications does not properly sanitize user     inputs, an attacker might control the arguments of the     render method in a controller or a view, resulting in     the possibility of executing arbitrary ruby code. This     bug was found by Tobias Kraze from Makandra and     joernchen of Phenoelit.

Ruby on Rails blog :

Rails 4.2.5.2, 4.1.14.2, and 3.2.22.2 have been released! These contain the following important security fixes, and it is recommended that users upgrade as soon as possible.

ID	Name	Product	Family	Severity
93132	Debian DLA-604-1 : ruby-actionpack-3.2 security update	Nessus	Debian Local Security Checks	high
90061	openSUSE Security Update : rubygem-actionpack-3_2 (openSUSE-2016-369)	Nessus	SuSE Local Security Checks	high
90016	Fedora 23 : rubygem-actionpack-4.2.3-5.fc23 / rubygem-actionview-4.2.3-5.fc23 (2016-f6af14570f)	Nessus	Fedora Local Security Checks	high
90013	Fedora 22 : rubygem-actionpack-4.2.0-4.fc22 / rubygem-actionview-4.2.0-5.fc22 (2016-3954061e32)	Nessus	Fedora Local Security Checks	high
89977	openSUSE Security Update : rubygem-actionview-4_2 (openSUSE-2016-352)	Nessus	SuSE Local Security Checks	high
89791	Debian DSA-3509-1 : rails - security update	Nessus	Debian Local Security Checks	high
89708	FreeBSD : rails -- multiple vulnerabilities (5a016dd0-8aa8-490e-a596-55f4cc17e4ef)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2016-2098

high

Tenable Plugins

high

high

high

high

high

high

high