CVE-2008-5189

CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:rubyonrails:rails:0.9.1:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:0.9.2:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:0.9.3:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:0.9.4:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:0.9.4.1:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:0.10.1:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:0.11.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:0.11.1:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:0.12.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:0.12.1:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:0.13.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:0.13.1:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:0.14.1:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:0.14.2:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:0.14.3:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:0.14.4:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:1.1.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:1.1.2:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:1.1.3:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:1.1.4:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:1.1.5:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:1.1.6:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:1.2.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:1.2.1:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:1.2.2:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:1.2.3:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:1.2.4:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:1.2.5:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:1.2.6:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:1.9.5:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:*:*:*:*:*:*:*

History

21 Nov 2024, 00:53

Type Values Removed Values Added
References () http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d - () http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d -
References () http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html - () http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html -
References () http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing - Vendor Advisory () http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing - Vendor Advisory
References () http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk - () http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk -
References () http://www.securityfocus.com/bid/32359 - Patch () http://www.securityfocus.com/bid/32359 - Patch

Information

Published : 2008-11-21 12:00

Updated : 2024-11-21 00:53


NVD link : CVE-2008-5189

Mitre link : CVE-2008-5189

CVE.ORG link : CVE-2008-5189


JSON object : View

Products Affected

rubyonrails

  • rails
  • ruby_on_rails
CWE
CWE-352

Cross-Site Request Forgery (CSRF)