Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2011-2197

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2011-2197
Last Modified 06 Jul 2012 12:00:00
Published 30 Jun 2011 11:55:01
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2011-2197

Summary

The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method.

Vulnerable Systems

Application

  • Ruby On Rails 2.0.0

  • Ruby On Rails 2.0.1

  • Ruby On Rails 2.0.2

  • Ruby On Rails 2.0.4

  • Ruby On Rails 2.1

  • Ruby On Rails 2.1.0

  • Ruby On Rails 2.1.1

  • Ruby On Rails 2.1.2

  • Ruby On Rails 2.2.0

  • Ruby On Rails 2.2.1

  • Ruby On Rails 2.2.2

  • Ruby On Rails 2.3.10

  • Ruby On Rails 2.3.11

  • Ruby On Rails 2.3.2

  • Ruby On Rails 2.3.3

  • Ruby On Rails 2.3.4

  • Ruby On Rails 2.3.9

  • Ruby On Rails 3.0.0

  • Ruby On Rails 3.0.1

  • Ruby On Rails 3.0.2

  • Ruby On Rails 3.0.3

  • Ruby On Rails 3.0.4

  • Ruby On Rails 3.0.5

  • Ruby On Rails 3.0.6

  • Ruby On Rails 3.0.7

  • Ruby On Rails 3.1.0

  • Rubyonrails Ruby On Rails 2.0.0

  • Rubyonrails Ruby On Rails 2.0.1

  • Rubyonrails Ruby On Rails 2.0.2

  • Rubyonrails Ruby On Rails 2.0.4

  • Rubyonrails Ruby On Rails 2.1

  • Rubyonrails Ruby On Rails 2.1.0

  • Rubyonrails Ruby On Rails 2.1.1

  • Rubyonrails Ruby On Rails 2.1.2

  • Rubyonrails Ruby On Rails 2.2.0

  • Rubyonrails Ruby On Rails 2.2.1

  • Rubyonrails Ruby On Rails 2.2.2

  • Rubyonrails Ruby On Rails 2.3.10

  • Rubyonrails Ruby On Rails 2.3.11

  • Rubyonrails Ruby On Rails 2.3.2

  • Rubyonrails Ruby On Rails 2.3.3

  • Rubyonrails Ruby On Rails 2.3.4

  • Rubyonrails Ruby On Rails 2.3.9

  • Rubyonrails Ruby On Rails 3.0.0

  • Rubyonrails Ruby On Rails 3.0.1

  • Rubyonrails Ruby On Rails 3.0.2

  • Rubyonrails Ruby On Rails 3.0.3

  • Rubyonrails Ruby On Rails 3.0.4

  • Rubyonrails Ruby On Rails 3.0.5

  • Rubyonrails Ruby On Rails 3.0.6

  • Rubyonrails Ruby On Rails 3.0.7

  • Rubyonrails Ruby On Rails 3.0.8

  • Rubyonrails Ruby On Rails 3.1.0


References

CONFIRM - http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications

MLIST - [oss-security] 20110613 Re: CVE Request: Ruby on Rails 3/rails_xss XSS

MLIST - [oss-security] 20110609 CVE Request: Ruby on Rails 3/rails_xss XSS

MLIST - [rubyonrails-security] 20110607 Potential XSS Vulnerability in Ruby on Rails Applications

SECUNIA - 44789

FEDORA - FEDORA-2011-8494

FEDORA - FEDORA-2011-8580


Last Updated: 27 May 2016 10:54:50