CVE-2006-4111 — Code Injection in Rails

CWE-94 — Code Injection7 documents5 sources

Severity

7.5HIGHNVD

EPSS

4.0%

top 11.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rubyonrails Rails Rubyonrails Ruby ON Rails

Timeline

PublishedAug 14

Latest updateOct 24

Description

Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with "severe" or "serious" impact via a File Upload request with an HTTP header that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages4 packages

▶RubyGemsrubyonrails/rails1.1.0 — 1.1.6

▶Debianrubyonrails/rails< 1.1.5-1+3

▶NVDrubyonrails/ruby_on_rails1.1.4+10

▶NVDrubyonrails/rails22 versions+21

Patches

Patch: blog.koehntopp.de ↗Patch: weblog.rubyonrails.org ↗Patch: www.gentoo.org ↗

🔴Vulnerability Details

GHSA

Ruby on Rails vulnerable to code injection↗2017-10-24

▶

OSV

Ruby on Rails vulnerable to code injection↗2017-10-24

▶

GHSA

Rails Denial of Service vulnerability↗2017-10-24

▶

OSV

CVE-2006-4111: Ruby on Rails before 1↗2006-08-14

▶

CVEList

CVE-2006-4111: Ruby on Rails before 1↗2006-08-14

▶

📋Vendor Advisories

Debian

CVE-2006-4111: rails - Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with "se...↗2006

▶