CVE-2011-0449

Sažetak

actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.4, when a case-insensitive filesystem is used, does not properly implement filters associated with the list of available templates, which allows remote attackers to bypass intended access restrictions via an action name that uses an unintended case for alphabetic characters.

Reference

http://groups.google.com/group/rubyonrails-security/msg/04345b2e84df5b4f?dmode=source&output=gplain
http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html
http://secunia.com/advisories/43278
http://securitytracker.com/id?1025061
http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4
http://www.vupen.com/english/advisories/2011/0877

CVSS

Base:	7.5
Impact:	6.4
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

08-08-2019 - 15:41

Objavljeno

21-02-2011 - 18:00