HIGH

GHSA-4ww3-3rxj-8v6q

actionpack allows remote attackers to bypass intended access restrictions

Details

`actionpack/lib/action_view/template/resolver.rb` in Ruby on Rails 3.0.x before 3.0.4, when a case-insensitive filesystem is used, does not properly implement filters associated with the list of available templates, which allows remote attackers to bypass intended access restrictions via an action name that uses an unintended case for alphabetic characters.

Are you affected?

Enter the version of the package you're using.

Affected packages

RubyGems / actionpack

Introduced in: 3.0.0 Fixed in: 3.0.4

Fix bundle update actionpack

References

https://nvd.nist.gov/vuln/detail/CVE-2011-0449 [ADVISORY]
https://github.com/rails/rails/commit/6f80224057803f85b3f448936aae89e742452c3b [WEB]
https://github.com/rails/rails/tree/main/actionpack [PACKAGE]
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-0449.yml [WEB]
https://web.archive.org/web/20201207190612/http://securitytracker.com/id?1025061 [WEB]
http://groups.google.com/group/rubyonrails-security/msg/04345b2e84df5b4f?dmode=source&output=gplain [WEB]
http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html [WEB]
http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4 [WEB]