Log Text Injection Affecting actionpack package, versions >=3.0.5, <3.0.6.rc1
Snyk CVSS
Attack Complexity
Low
User Interaction
Required
Threat Intelligence
EPSS
1.62% (88th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-ACTIONPACK-20280
- published 28 Feb 2017
- disclosed 15 Feb 2011
- credit Jimmy Bandit
Introduced: 15 Feb 2011
CVE-2011-3187 Open this link in a new tabOverview
actionpack
is a web app builder and tester on Rails.
The to_s
method in actionpack
does not validate the X-Forwarded-For
header in requests from IP addresses on a Class C network, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header.