CVE-2007-5379

Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file.
Configurations

Configuration 1 (hide)

cpe:2.3:a:david_hansson:ruby_on_rails:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2007-10-19 23:17

Updated : 2024-02-28 11:01


NVD link : CVE-2007-5379

Mitre link : CVE-2007-5379

CVE.ORG link : CVE-2007-5379


JSON object : View

Products Affected

david_hansson

  • ruby_on_rails
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor