MEDIUM

GHSA-fjfg-q662-gm6j

Moderate severity vulnerability that affects rails

Details

Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file.

Are you affected?

Enter the version of the package you're using.

Affected packages

RubyGems / rails

Introduced in: 0 Fixed in: 1.2.4

Fix bundle update rails

References

https://nvd.nist.gov/vuln/detail/CVE-2007-5379 [ADVISORY]
https://github.com/rails/rails [PACKAGE]
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2007-5379.yml [WEB]
https://rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release [WEB]
https://web.archive.org/web/20090602000500/http://dev.rubyonrails.org/ticket/8453 [WEB]
http://bugs.gentoo.org/show_bug.cgi?id=195315 [WEB]
http://docs.info.apple.com/article.html?artnum=307179 [WEB]
http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html [WEB]
http://security.gentoo.org/glsa/glsa-200711-17.xml [WEB]
http://www.us-cert.gov/cas/techalerts/TA07-352A.html [WEB]
http://www.vupen.com/english/advisories/2007/3508 [WEB]
http://www.vupen.com/english/advisories/2007/4238 [WEB]