Homepage
About Snyk

Authentication Bypass Affecting actionpack package, versions >= 3.0.0, <=3.0.3

0.0
high

Snyk CVSS

    Attack Complexity Low

    Threat Intelligence

    EPSS 1.15% (85th percentile)
Expand this section
NVD
7.3 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-ACTIONPACK-20278
  • published 28 Feb 2017
  • disclosed 8 Feb 2011
  • credit Jan M. Faber
Report a new vulnerability Found a mistake?

Introduced: 8 Feb 2011

CVE-2011-0449 Open this link in a new tab
CWE-592 Open this link in a new tab

How to fix?

Upgrade to version 3.0.4 or higher.

Overview

actionpack is a web app builder and tester on Rails. To list the templates available to an application, actionpack uses the filesystem operations. While using case-insensitive filesystems, an attacker may change the case of an action name, and use this to bypass authentication processes and leak sensitive data.