CVE-2011-2929

The template selection functionality in actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob characters, which allows remote attackers to render arbitrary views via a crafted URL, related to a "filter skipping vulnerability."
References
Link Resource
http://groups.google.com/group/rubyonrails-security/msg/cbbbba6e4f7eaf61?dmode=source&output=gplain Patch
http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html
http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6 Patch
http://www.openwall.com/lists/oss-security/2011/08/17/1 Patch
http://www.openwall.com/lists/oss-security/2011/08/19/11 Patch
http://www.openwall.com/lists/oss-security/2011/08/20/1 Patch
http://www.openwall.com/lists/oss-security/2011/08/22/13 Patch
http://www.openwall.com/lists/oss-security/2011/08/22/14
http://www.openwall.com/lists/oss-security/2011/08/22/5 Patch
https://bugzilla.redhat.com/show_bug.cgi?id=731432 Patch
https://github.com/rails/rails/commit/5f94b93279f6d0682fafb237c301302c107a9552 Patch
http://groups.google.com/group/rubyonrails-security/msg/cbbbba6e4f7eaf61?dmode=source&output=gplain Patch
http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html
http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6 Patch
http://www.openwall.com/lists/oss-security/2011/08/17/1 Patch
http://www.openwall.com/lists/oss-security/2011/08/19/11 Patch
http://www.openwall.com/lists/oss-security/2011/08/20/1 Patch
http://www.openwall.com/lists/oss-security/2011/08/22/13 Patch
http://www.openwall.com/lists/oss-security/2011/08/22/14
http://www.openwall.com/lists/oss-security/2011/08/22/5 Patch
https://bugzilla.redhat.com/show_bug.cgi?id=731432 Patch
https://github.com/rails/rails/commit/5f94b93279f6d0682fafb237c301302c107a9552 Patch
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*

History

21 Nov 2024, 01:29

Type Values Removed Values Added
References () http://groups.google.com/group/rubyonrails-security/msg/cbbbba6e4f7eaf61?dmode=source&output=gplain - Patch () http://groups.google.com/group/rubyonrails-security/msg/cbbbba6e4f7eaf61?dmode=source&output=gplain - Patch
References () http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html - () http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html -
References () http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html - () http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html -
References () http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6 - Patch () http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6 - Patch
References () http://www.openwall.com/lists/oss-security/2011/08/17/1 - Patch () http://www.openwall.com/lists/oss-security/2011/08/17/1 - Patch
References () http://www.openwall.com/lists/oss-security/2011/08/19/11 - Patch () http://www.openwall.com/lists/oss-security/2011/08/19/11 - Patch
References () http://www.openwall.com/lists/oss-security/2011/08/20/1 - Patch () http://www.openwall.com/lists/oss-security/2011/08/20/1 - Patch
References () http://www.openwall.com/lists/oss-security/2011/08/22/13 - Patch () http://www.openwall.com/lists/oss-security/2011/08/22/13 - Patch
References () http://www.openwall.com/lists/oss-security/2011/08/22/14 - () http://www.openwall.com/lists/oss-security/2011/08/22/14 -
References () http://www.openwall.com/lists/oss-security/2011/08/22/5 - Patch () http://www.openwall.com/lists/oss-security/2011/08/22/5 - Patch
References () https://bugzilla.redhat.com/show_bug.cgi?id=731432 - Patch () https://bugzilla.redhat.com/show_bug.cgi?id=731432 - Patch
References () https://github.com/rails/rails/commit/5f94b93279f6d0682fafb237c301302c107a9552 - Patch () https://github.com/rails/rails/commit/5f94b93279f6d0682fafb237c301302c107a9552 - Patch

Information

Published : 2011-08-29 18:55

Updated : 2024-11-21 01:29


NVD link : CVE-2011-2929

Mitre link : CVE-2011-2929

CVE.ORG link : CVE-2011-2929


JSON object : View

Products Affected

rubyonrails

  • ruby_on_rails
  • rails
CWE
CWE-20

Improper Input Validation