Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2011-3187

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2011-3187
Last Modified 06 Jul 2012 12:00:00
Published 29 Aug 2011 02:55:01
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2011-3187

Summary

The to_s method in actionpack/lib/action_dispatch/middleware/remote_ip.rb in Ruby on Rails 3.0.5 does not validate the X-Forwarded-For header in requests from IP addresses on a Class C network, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header.

Vulnerable Systems

Application

  • Ruby On Rails 3.0.5

  • Rubyonrails Ruby On Rails 3.0.5


References

MLIST - [oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)

MLIST - [oss-security] 20110820 Re: CVE request: ruby on rails flaws (4)

MLIST - [oss-security] 20110819 Re: CVE request: ruby on rails flaws (4)

MLIST - [oss-security] 20110817 CVE request: ruby on rails flaws (4)

CONFIRM - https://bugzilla.novell.com/show_bug.cgi?id=673010

MISC - http://webservsec.blogspot.com/2011/02/ruby-on-rails-vulnerability.html

FULLDISC - 20110216 Ruby on Rails Vulnerability


Last Updated: 27 May 2016 10:57:33