Arbitrary Code Execution

Affecting actionpack gem, versions < 3.2.11, >= 3.2 || < 3.1.10, >= 3.1 || < 3.0.19, >= 2.4 || < 2.3.15

Overview

actionpack is a web app builder and tester on Rails.

Affected versions of this Gem are vulnerable to Arbitrary Remote Code Execution. The issue is triggered when a type casting error occurs during the parsing of parameters. This may allow a remote attacker to potentially execute arbitrary code.

Remediation

Upgrade actionpack to versions 3.2.11, 3.1.10, 3.0.19, 2.3.15 or higher.

References

Do your applications use this vulnerable package?

CVSS Score

7.3
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Credit
Unknown
CVE
CVE-2013-0156
CWE
CWE-94
Snyk ID
SNYK-RUBY-ACTIONPACK-20047
Disclosed
07 Jan, 2013
Published
18 Oct, 2016