Version 8.0.0
rails
Ruby on Rails
Install Instructions
gem install rails
Current Version Release Date November 07, 2024
Language Ruby
Package URL (purl) pkg:gem/rails@8.0.0
Find rails vulnerabilities in your supply chain.
rails Vulnerabilities
Sort by
CVE (Latest)
CVE (Latest)
-
CVE (Latest)
-
CVE (Oldest)
-
CVSS Score (Highest)
-
CVSS Score (Lowest)
CVE  |
CVSS Score |
CWE(s) |
EPSS Score |
EPSS % |
Impacted Versions |
|---|---|---|---|---|---|
| CVE-2007-3227 | Medium 4.3 | CWE-79 | 0.00881 | 0.83134 |
|
| CVE-2007-5379 | Medium 5 | CWE-200 | 0.00817 | 0.82483 |
|
| CVE-2007-5380 | Medium 6.8 | CWE-384 | 0.02871 | 0.91096 |
|
| CVE-2007-6077 | Medium 6.8 | CWE-362 | 0.02881 | 0.91109 |
|
| CVE-2008-4094 | High 7.5 | CWE-89 | 0.00318 | 0.7124 |
|
| CVE-2008-5189 | Medium 5 | CWE-352 | 0.0023 | 0.61886 |
|
| CVE-2009-2422 | High 9.8 | CWE-287 | 0.02654 | 0.90757 |
|
| CVE-2009-4214 | Medium 4.3 | CWE-79 | 0.00319 | 0.71292 |
|
| CVE-2011-0446 | Medium 4.3 | CWE-79 | 0.00295 | 0.70058 |
|
| CVE-2011-1497 | Medium 6.1 | CWE-79 | 0.00066 | 0.30952 |
|
| CVE-2012-2694 | Medium 4.3 | CWE-264 | 0.00291 | 0.69835 |
|
| CVE-2012-2695 | High 7.3 | CWE-89 | 0.05952 | 0.93718 |
|
| CVE-2014-0081 | Medium 4.3 | CWE-79 | 0.00207 | 0.5946 |
|
| CVE-2009-3009 | Medium 4.3 | CWE-79 | 0.00319 | 0.71292 |
|
| CVE-2011-2197 | Medium 4.3 | CWE-79 | 0.00353 | 0.72729 |
|
| CVE-2006-4111 | High 7.5 | CWE-94 | 0.02711 | 0.90852 |
|
| CVE-2006-4112 | High 7.5 | CWE-94 | 0.03707 | 0.92072 |
|
| CVE-2008-7248 | Medium 6.8 | CWE-20 | 0.15487 | 0.96073 |
|
| CVE-2009-3086 | Medium 5 | CWE-200 | 0.00556 | 0.78281 |
|
| CVE-2011-0447 | Medium 6.8 | CWE-352 | 0.00384 | 0.73825 |
|
| CVE-2011-4319 | Medium 4.3 | CWE-79 | 0.00296 | 0.70089 |
|
| CVE-2010-3933 | Medium 6.4 | CWE-20 | 0.00376 | 0.73576 |
|
| CVE-2024-26142 | High 7.5 | CWE-1333 | 0.00045 | 0.17206 |
|
| CVE-2024-26143 | Medium 6.1 | CWE-79 | 0.00044 | 0.11741 |
|
| CVE-2021-22880 | High 7.5 | CWE-400 | 0.00605 | 0.79194 |
|
| CVE-2024-26144 | Medium 5.3 | CWE-200 | 0.00044 | 0.11741 |
|
rails Vulnerability Remediation Guidance
| CVE | Description | Full list of Impacted Versions | Fix |
|---|---|---|---|
| CVE-2024-26144 | Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. The vulnerability is fixed in 7.0.8.1 and 6.1.7.7. | 5.2.4, 5.2.2.1, 6.0.2.1, 6.0.3.2, 6.0.3.1, 5.2.4.2, 6.0.2.2, 6.0.0.rc2 (Show all) | Patch → 6.1.7.7 |
| CVE-2024-26143 | Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in "_html", a :default key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. The vulnerability is fixed in 7.1.3.1 and 7.0.8.1. | 7.1.0, 7.1.2, 7.1.3, 7.1.1, 7.0.7, 7.0.6, 7.0.5.1, 7.0.4.2 (Show all) | Patch → 7.1.3.1 |
| CVE-2024-26142 | Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. | 7.1.0, 7.1.2, 7.1.3, 7.1.1 | Patch → 7.1.3.1 |
| CVE-2021-22880 | The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input. | 5.2.4, 5.2.2.1, 5.1.4.rc1, 5.0.7.2, 6.0.2.1, 4.2.7, 5.0.0, 6.0.3.2 (Show all) | Patch → 6.1.7.7 |
| CVE-2014-0081 | Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper. | 0.9.5, 2.0.1, 1.2.6, 1.1.1, 1.2.2, 1.2.3, 1.2.1, 1.2.5 (Show all) | Major → 3.2.17 |
| CVE-2012-2695 | The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661. | 0.9.5, 2.0.1, 1.2.6, 1.1.1, 1.2.2, 1.2.3, 1.2.1, 1.2.5 (Show all) | Major → 3.2.17 |
| CVE-2012-2694 | actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "['xyz', nil]" values, a related issue to CVE-2012-2660. | 0.9.5, 2.0.1, 1.2.6, 1.1.1, 1.2.2, 1.2.3, 1.2.1, 1.2.5 (Show all) | Major → 3.2.17 |
| CVE-2011-4319 | Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, and the rails_xss plugin in Ruby on Rails 2.3.x, allows remote attackers to inject arbitrary web script or HTML via vectors related to a translations string whose name ends with an "html" substring. | 3.0.3, 3.0.4.rc1, 3.0.0, 3.0.1, 3.0.2, 3.1.2.rc2, 3.1.1.rc2, 3.0.9 (Show all) | Minor → 3.2.17 |
| CVE-2011-2197 | The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method. | 2.0.1, 2.1.0, 2.0.4, 2.0.0, 2.0.2, 2.0.5, 2.3.4, 3.0.3 (Show all) | Major → 3.2.17 |
| CVE-2011-1497 | A cross-site scripting vulnerability flaw was found in the auto_link function in Rails before version 3.0.6. | 0.9.5, 2.0.1, 1.2.6, 1.1.1, 1.2.2, 1.2.3, 1.2.1, 1.2.5 (Show all) | Major → 3.2.17 |
| CVE-2011-0447 | Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage "combinations of browser plugins and HTTP redirects," a related issue to CVE-2011-0696. | 2.1.0, 2.3.4, 3.0.3, 2.3.8, 3.0.4.rc1, 2.3.9.pre, 2.3.10, 2.3.5 (Show all) | Major → 3.2.17 |
| CVE-2011-0446 | Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value. | 0.9.5, 2.0.1, 1.2.6, 1.1.1, 1.2.2, 1.2.3, 1.2.1, 1.2.5 (Show all) | Major → 3.2.17 |
| CVE-2010-3933 | Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs. | 3.0.0, 2.3.9 | Minor → 3.2.17 |
| CVE-2009-4214 | Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb. | 0.9.5, 2.0.1, 1.2.6, 1.1.1, 1.2.2, 1.2.3, 1.2.1, 1.2.5 (Show all) | Major → 3.2.17 |
| CVE-2009-3086 | A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts. | 2.1.0, 2.1.1, 2.3.3, 2.1.2, 2.2.2, 2.3.2 | Major → 3.2.17 |
| CVE-2009-3009 | Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper. | 2.0.1, 2.1.0, 2.0.4, 2.0.0, 2.0.2, 2.0.5, 2.1.1, 2.3.3 (Show all) | Major → 3.2.17 |
| CVE-2009-2422 | The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password. | 0.9.5, 2.0.1, 1.2.6, 1.1.1, 1.2.2, 1.2.3, 1.2.1, 1.2.5 (Show all) | Major → 3.2.17 |
| CVE-2008-7248 | Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain. | 2.1.0, 2.1.1, 2.1.2 | Major → 3.2.17 |
| CVE-2008-5189 | CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function. | 0.9.5, 2.0.1, 1.2.6, 1.1.1, 1.2.2, 1.2.3, 1.2.1, 1.2.5 (Show all) | Major → 3.2.17 |
| CVE-2008-4094 | Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer. | 0.9.5, 2.0.1, 1.2.6, 1.1.1, 1.2.2, 1.2.3, 1.2.1, 1.2.5 (Show all) | Major → 3.2.17 |
| CVE-2007-6077 | The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380. | 0.9.5, 1.1.1, 1.2.2, 1.2.3, 1.2.1, 1.2.5, 1.1.5, 1.2.0 (Show all) | Major → 3.2.17 |
| CVE-2007-5380 | Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to "URL-based sessions." | 0.9.5, 1.1.1, 1.2.2, 1.2.3, 1.2.1, 1.1.5, 1.2.0, 1.1.6 (Show all) | Major → 3.2.17 |
| CVE-2007-5379 | Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file. | 0.9.5, 1.1.1, 1.2.2, 1.2.3, 1.2.1, 1.1.5, 1.2.0, 1.1.6 (Show all) | Major → 3.2.17 |
| CVE-2007-3227 | Cross-site scripting (XSS) vulnerability in the to_json (ActiveRecord::Base#to_json) function in Ruby on Rails before edge 9606 allows remote attackers to inject arbitrary web script via the input values. | 0.9.5, 1.1.1, 1.2.2, 1.2.3, 1.2.1, 1.1.5, 1.2.0, 1.1.6 (Show all) | Major → 3.2.17 |
| CVE-2006-4112 | Unspecified vulnerability in the "dependency resolution mechanism" in Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby code via a URL that is not properly handled in the routing code, which leads to a denial of service (application hang) or "data loss," a different vulnerability than CVE-2006-4111. | 1.1.1, 1.1.5, 1.1.0, 1.1.3, 1.1.4, 1.1.2 | Major → 3.2.17 |
| CVE-2006-4111 | Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with "severe" or "serious" impact via a File Upload request with an HTTP header that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112. | 1.1.1, 1.1.5, 1.1.0, 1.1.3, 1.1.4, 1.1.2 | Major → 3.2.17 |
Instantly see if these rails vulnerabilities affect your code.
Dependencies
Packages using versions of rails affected by its vulnerabilities
| Dependent Packages |
|---|
| actioncable= 8.0.0 |
| actionmailbox= 8.0.0 |
| actionmailer= 8.0.0 |
| actionpack= 8.0.0 |
| actiontext= 8.0.0 |
| actionview= 8.0.0 |
| activejob= 8.0.0 |
| activemodel= 8.0.0 |
| activerecord= 8.0.0 |
| activestorage= 8.0.0 |
| activesupport= 8.0.0 |
| bundler>= 1.15.0 |
| railties= 8.0.0 |