Executive Summary
| Summary | |
|---|---|
| Title | rails security update |
| Informations | |||
|---|---|---|---|
| Name | DSA-2597 | First vendor Publication | 2013-01-04 |
| Vendor | Debian | Last vendor Modification | 2013-01-04 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 7.5 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| joernchen of Phenoelit discovered that rails, an MVC ruby based framework geared for web application development, is not properly treating user-supplied input to "find_by_*" methods. Depending on how the ruby on rails application is using these methods, this allows an attacker to perform SQL injection attacks, e.g., to bypass authentication if Authlogic is used and the session secret token is known. For the stable distribution (squeeze), this problem has been fixed in version 2.3.5-1.2+squeeze4. For the testing distribution (wheezy), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in ruby-activerecord-2.3 version 2.3.14-3. We recommend that you upgrade your rails/ruby-activerecord-2.3 packages. |
Original Source
| Url : http://www.debian.org/security/2013/dsa-2597 |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-106.nasl - Type : ACT_GATHER_INFO |
| 2013-01-07 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2597.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2016-02-11 08:49:07 |
|
| 2016-02-09 11:36:01 |
|
| 2014-02-17 11:31:33 |
|
| 2013-01-08 13:23:03 |
|
| 2013-01-05 00:19:18 |
|
