CVE-2006-4112 — Code Injection in Rails

CWE-94 — Code Injection12 documents5 sources

Severity

7.5HIGHNVD

EPSS

7.4%

top 8.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rubyonrails Rails Rubyonrails Ruby ON Rails

Timeline

PublishedAug 14

Latest updateOct 24

Description

Unspecified vulnerability in the "dependency resolution mechanism" in Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby code via a URL that is not properly handled in the routing code, which leads to a denial of service (application hang) or "data loss," a different vulnerability than CVE-2006-4111.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages4 packages

▶RubyGemsrubyonrails/rails1.1.0 — 1.1.6

▶Debianrubyonrails/rails< 1.1.6-1+7

▶NVDrubyonrails/ruby_on_rails1.1.4+10

▶NVDrubyonrails/rails23 versions+22

Patches

Patch: secunia.com ↗Patch: weblog.rubyonrails.org ↗Patch: www.gentoo.org ↗

🔴Vulnerability Details

GHSA

Rails Denial of Service vulnerability↗2017-10-24

▶

GHSA

Ruby on Rails vulnerable to code injection↗2017-10-24

▶

OSV

Ruby on Rails vulnerable to code injection↗2017-10-24

▶

OSV

Rails Denial of Service vulnerability↗2017-10-24

▶

OSV

CVE-2006-4112: Unspecified vulnerability in the "dependency resolution mechanism" in Ruby on Rails 1↗2006-08-14

▶

📋Vendor Advisories

Debian

CVE-2006-4112: rails - Unspecified vulnerability in the "dependency resolution mechanism" in Ruby on Ra...↗2006

▶

Debian

CVE-2006-4111: rails - Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with "se...↗2006

▶