Log Text Injection Affecting actionpack package, versions >=3.0.5, <3.0.6.rc1


0.0
medium

Snyk CVSS

    Attack Complexity Low
    User Interaction Required

    Threat Intelligence

    EPSS 1.62% (88th percentile)
Expand this section
NVD
4.3 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-ACTIONPACK-20280
  • published 28 Feb 2017
  • disclosed 15 Feb 2011
  • credit Jimmy Bandit

Overview

actionpack is a web app builder and tester on Rails. The to_s method in actionpack does not validate the X-Forwarded-For header in requests from IP addresses on a Class C network, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header.