Authentication Bypass Affecting actionpack package, versions >= 3.0.0, <=3.0.3
Snyk CVSS
Attack Complexity
Low
Threat Intelligence
EPSS
1.15% (85th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-ACTIONPACK-20278
- published 28 Feb 2017
- disclosed 8 Feb 2011
- credit Jan M. Faber
Introduced: 8 Feb 2011
CVE-2011-0449 Open this link in a new tabHow to fix?
Upgrade to version 3.0.4
or higher.
Overview
actionpack
is a web app builder and tester on Rails.
To list the templates available to an application, actionpack
uses the filesystem operations. While using case-insensitive filesystems, an attacker may change the case of an action name, and use this to bypass authentication processes and leak sensitive data.