5

CVE-2008-5189

CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RubyonrailsRails Version0.9.1
RubyonrailsRails Version0.9.2
RubyonrailsRails Version0.9.3
RubyonrailsRails Version0.9.4
RubyonrailsRails Version0.9.4.1
RubyonrailsRails Version0.10.0
RubyonrailsRails Version0.10.1
RubyonrailsRails Version0.11.0
RubyonrailsRails Version0.11.1
RubyonrailsRails Version0.12.0
RubyonrailsRails Version0.12.1
RubyonrailsRails Version0.13.0
RubyonrailsRails Version0.13.1
RubyonrailsRails Version0.14.1
RubyonrailsRails Version0.14.2
RubyonrailsRails Version0.14.3
RubyonrailsRails Version0.14.4
RubyonrailsRails Version1.0.0
RubyonrailsRails Version1.1.0
RubyonrailsRails Version1.1.1
RubyonrailsRails Version1.1.2
RubyonrailsRails Version1.1.3
RubyonrailsRails Version1.1.4
RubyonrailsRails Version1.1.5
RubyonrailsRails Version1.1.6
RubyonrailsRails Version1.2.0
RubyonrailsRails Version1.2.1
RubyonrailsRails Version1.2.2
RubyonrailsRails Version1.2.3
RubyonrailsRails Version1.2.4
RubyonrailsRails Version1.2.5
RubyonrailsRails Version1.2.6
RubyonrailsRails Version1.9.5
RubyonrailsRails Version2.0.0
RubyonrailsRails Version2.0.0 Updaterc1
RubyonrailsRails Version2.0.0 Updaterc2
RubyonrailsRails Version2.0.1
RubyonrailsRails Version2.0.2
RubyonrailsRuby On Rails Version <= 2.0.4
RubyonrailsRuby On Rails Version0.5.0
RubyonrailsRuby On Rails Version0.5.5
RubyonrailsRuby On Rails Version0.5.6
RubyonrailsRuby On Rails Version0.5.7
RubyonrailsRuby On Rails Version0.6.0
RubyonrailsRuby On Rails Version0.6.5
RubyonrailsRuby On Rails Version0.7.0
RubyonrailsRuby On Rails Version0.8.0
RubyonrailsRuby On Rails Version0.8.5
RubyonrailsRuby On Rails Version0.9.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.55% 0.718
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:P/A:N
CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html
http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d
http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing
Vendor Advisory
http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk
http://www.securityfocus.com/bid/32359
Patch