CVE-2007-5379 — Sensitive Information Exposure in Rails

CWE-200 — Sensitive Information Exposure6 documents5 sources

Severity

5.0MEDIUMNVD

EPSS

10.6%

top 6.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rubyonrails Rails David Hansson Ruby ON Rails

Timeline

PublishedOct 19

Latest updateOct 24

Description

Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶RubyGemsrubyonrails/rails< 1.2.4

▶Debianrubyonrails/rails< 1.2.5-1+3

▶NVDdavid_hansson/ruby_on_rails1.2.3

Patches

Patch: www.securityfocus.com ↗Patch: www.securityfocus.com ↗

🔴Vulnerability Details

GHSA

Moderate severity vulnerability that affects rails↗2017-10-24

▶

OSV

Moderate severity vulnerability that affects rails↗2017-10-24

▶

OSV

CVE-2007-5379: Rails before 1↗2007-10-19

▶

CVEList

CVE-2007-5379: Rails before 1↗2007-10-19

▶

📋Vendor Advisories

Debian

CVE-2007-5379: rails - Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and Activ...↗2007

▶