Version 8.0.0

activesupport

Ruby on Rails

Install Instructions

gem install activesupport
Current Version Release Date November 07, 2024
Language Ruby
Package URL (purl) pkg:gem/activesupport@8.0.0

Find activesupport vulnerabilities in your supply chain.

Scan for Free

activesupport Vulnerabilities

Sort by
icon CVE (Latest)
  • icon CVE (Latest)
  • icon CVE (Oldest)
  • icon CVSS Score (Highest)
  • icon CVSS Score (Lowest)
CVE question mark icon CVSS Score question mark icon CWE(s) question mark icon EPSS Score question mark icon EPSS % question mark icon Impacted Versions
CVE-2011-2197 Medium 4.3 CWE-79 0.00353 0.72529
  • 3.0.0–3.0.7.rc2
  • 2.0.0–2.3.10
CVE-2011-2932 Medium 4.3 CWE-79 0.00308 0.7046
  • 3.0.0–3.0.10.rc1
  • 2.0.0–2.3.12
CVE-2012-3464 Medium 4.3 CWE-79 0.0022 0.60626
  • 3.0.0–3.2.8.rc2
  • 2.0.0–2.3.18
  • 1.0.0–1.4.4
CVE-2013-0333 High 7.5 CWE-94 0.97277 0.99894
  • 3.0.0–3.0.19
  • 2.3.2–2.3.15
CVE-2015-3227 Medium 5 CWE-400 0.01568 0.87656
  • 4.0.0–4.2.1.rc4
  • 3.0.0–3.2.22.5
  • 2.0.0–2.3.18
  • 1.0.0–1.4.4
CVE-2023-22796 High 7.5 CWE-1333, CWE-400 0.00159 0.53189
  • 7.0.0–7.0.4
  • 6.0.0–6.1.7
  • 5.0.0–5.2.8.1
  • 4.0.0–4.2.11.3
  • 3.0.0–3.2.22.5
  • 2.0.0–2.3.18
  • 1.0.0–1.4.4
CVE-2023-28120 Unknown CWE-79 None None
  • 7.0.0–7.0.4.2
  • 6.0.0–6.1.7.2
  • 5.0.0–5.2.8.1
  • 4.0.0–4.2.11.3
  • 3.0.0–3.2.22.5
  • 2.0.0–2.3.18
  • 1.0.0–1.4.4
CVE-2013-1856 Medium 5.8 CWE-200, CWE-400, CWE-20 0.01282 0.86197
  • 3.0.0–3.2.13.rc2
CVE-2012-1098 Medium 4.3 CWE-79 0.00243 0.64808
  • 3.0.0–3.2.2.rc1
CVE-2009-3009 Medium 4.3 CWE-79 0.00319 0.71088
  • 2.0.0–2.3.3
CVE-2009-3086 Medium 5 CWE-200 0.00556 0.78102
  • 2.1.0–2.3.3
CVE-2023-38037 Unknown None None
  • 7.0.0–7.0.7
  • 6.0.0–6.1.7.4
  • 5.2.0–5.2.8.1
CVE-2020-8165 High 9.8 CWE-502 0.66305 0.98012
  • 6.0.0–6.0.3.rc1
  • 5.0.0–5.2.4.2
CVE-2015-3226 Medium 4.3 CWE-79 0.00254 0.65786
  • 4.1.0–4.2.1.rc4

activesupport Vulnerability Remediation Guidance

CVE Description Full list of Impacted Versions Fix
CVE-2023-38037 There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037. Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5 # Impact ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current umask settings, meaning that it’s possible for other users on the same system to read the contents of the temporary file. Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it. All users running an affected release should either upgrade or use one of the workarounds immediately. # Releases The fixed releases are available at the normal locations. # Workarounds To work around this issue, you can set your umask to be more restrictive like this: ```ruby $ umask 0077 ``` 7.0.2.2, 7.0.3.1, 5.2.6, 7.0.2.4, 6.0.4.8, 6.0.4.7, 5.2.7, 6.1.4.7 (Show all) Patch → 7.0.7.1
CVE-2023-28120 There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input. This vulnerability has been assigned the CVE identifier CVE-2023-28120. Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3 # Impact ActiveSupport uses the SafeBuffer string subclass to tag strings as html_safe after they have been sanitized. When these strings are mutated, the tag is should be removed to mark them as no longer being html_safe. Ruby 3.2 introduced a new bytesplice method which ActiveSupport did not yet understand to be a mutation. Users on older versions of Ruby are likely unaffected. All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately. # Workarounds Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input. 2.3.8, 3.0.12, 3.2.6, 3.2.11, 3.1.7, 1.4.4, 3.0.17, 3.2.8.rc2 (Show all) Patch → 6.1.7.5
CVE-2023-22796 A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability. 2.3.8, 3.0.12, 3.2.6, 3.2.11, 3.1.7, 1.4.4, 3.0.17, 3.2.8.rc2 (Show all) Patch → 6.1.7.5
CVE-2020-8165 A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE. 5.1.7, 5.0.5.rc2, 5.0.5.rc1, 5.0.4, 5.0.2.rc1, 5.2.4.2, 5.2.3, 5.2.4.rc1 (Show all) Patch → 6.1.7.5
CVE-2015-3227 The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth. 2.3.8, 3.0.12, 3.2.6, 3.2.11, 3.1.7, 1.4.4, 3.0.17, 3.2.8.rc2 (Show all) Patch → 6.1.7.5
CVE-2015-3226 Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding. 4.1.8, 4.1.6.rc2, 4.1.3, 4.1.1, 4.1.0, 4.2.1, 4.2.1.rc1, 4.1.10 (Show all) Patch → 6.1.7.5
CVE-2013-1856 The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference. 3.0.12, 3.2.6, 3.2.11, 3.1.7, 3.0.17, 3.2.8.rc2, 3.2.2, 3.0.6.rc2 (Show all) Patch → 6.1.7.5
CVE-2013-0333 lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156. 2.3.8, 3.0.12, 3.0.17, 3.0.6.rc2, 2.3.9, 3.0.7.rc1, 3.0.4, 2.3.12 (Show all) Patch → 6.1.7.5
CVE-2012-3464 Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character. 2.3.8, 3.0.12, 3.2.6, 3.1.7, 1.4.4, 3.2.8.rc2, 3.2.2, 3.0.6.rc2 (Show all) Patch → 6.1.7.5
CVE-2012-1098 Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods. 3.0.6.rc2, 3.1.1, 3.2.2.rc1, 3.2.0, 3.0.7.rc1, 3.0.4, 3.1.1.rc3, 3.1.1.rc1 (Show all) Patch → 6.1.7.5
CVE-2011-2932 Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability." 2.3.8, 3.0.6.rc2, 2.3.9, 3.0.7.rc1, 3.0.4, 2.3.12, 2.3.6, 2.3.5 (Show all) Patch → 6.1.7.5
CVE-2011-2197 The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method. 2.3.8, 3.0.6.rc2, 2.3.9, 3.0.7.rc1, 3.0.4, 2.3.6, 2.3.5, 2.2.3 (Show all) Patch → 6.1.7.5
CVE-2009-3086 A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts. 2.3.2, 2.1.1, 2.3.3, 2.2.2, 2.1.2, 2.1.0 Patch → 6.1.7.5
CVE-2009-3009 Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper. 2.0.2, 2.3.2, 2.1.1, 2.3.3, 2.0.1, 2.0.0, 2.0.5, 2.0.4 (Show all) Patch → 6.1.7.5

Instantly see if these activesupport vulnerabilities affect your code.

Scan for Free

Dependencies

Packages using versions of activesupport affected by its vulnerabilities

Dependent Packages
base64>= 0
benchmark>= 0.3
bigdecimal>= 0
concurrent-ruby~> 1.0, >= 1.3.1
connection_pool>= 2.2.5
drb>= 0
i18n>= 1.6, < 2
logger>= 1.4.2
minitest>= 5.1
securerandom>= 0.3
tzinfo~> 2.0, >= 2.0.5
uri>= 0.13.1