CVE-2011-0449
published 2011-02-21CVE-2011-0449: actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.4, when a case-insensitive filesystem is used, does not properly implement…
PriorityP341high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
2.50%
82.6th percentile
actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.4, when a case-insensitive filesystem is used, does not properly implement filters associated with the list of available templates, which allows remote attackers to bypass intended access restrictions via an action name that uses an unintended case for alphabetic characters.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| actionpack_project | actionpack | >= 3.0.0 < 3.0.4 | 3.0.4 |
| debian | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_debian7.5LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
actionpack allows remote attackers to bypass intended access restrictions
ghsa·2017-10-24
CVE-2011-0449 [HIGH] actionpack allows remote attackers to bypass intended access restrictions
actionpack allows remote attackers to bypass intended access restrictions
`actionpack/lib/action_view/template/resolver.rb` in Ruby on Rails 3.0.x before 3.0.4, when a case-insensitive filesystem is used, does not properly implement filters associated with the list of available templates, which allows remote attackers to bypass intended access restrictions via an action name that uses an unintended case for alphabetic characters.
OSV
actionpack allows remote attackers to bypass intended access restrictions
osv·2017-10-24
CVE-2011-0449 [HIGH] actionpack allows remote attackers to bypass intended access restrictions
actionpack allows remote attackers to bypass intended access restrictions
`actionpack/lib/action_view/template/resolver.rb` in Ruby on Rails 3.0.x before 3.0.4, when a case-insensitive filesystem is used, does not properly implement filters associated with the list of available templates, which allows remote attackers to bypass intended access restrictions via an action name that uses an unintended case for alphabetic characters.
Debian
CVE-2011-0449: rails - actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3....
vendor_debian·2011·CVSS 7.5
CVE-2011-0449 [HIGH] CVE-2011-0449: rails - actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3....
actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.4, when a case-insensitive filesystem is used, does not properly implement filters associated with the list of available templates, which allows remote attackers to bypass intended access restrictions via an action name that uses an unintended case for alphabetic characters.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
No public exploits indexed.
http://groups.google.com/group/rubyonrails-security/msg/04345b2e84df5b4f?dmode=source&output=gplainhttp://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.htmlhttp://secunia.com/advisories/43278http://securitytracker.com/id?1025061http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4http://www.vupen.com/english/advisories/2011/0877http://groups.google.com/group/rubyonrails-security/msg/04345b2e84df5b4f?dmode=source&output=gplainhttp://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.htmlhttp://secunia.com/advisories/43278http://securitytracker.com/id?1025061http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4http://www.vupen.com/english/advisories/2011/0877
2011-02-21
Published