{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-02-29T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-02T09:57:01.000Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "SUSE-SU-2016:0867", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html"}, {"name": "SUSE-SU-2016:0967", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"}, {"name": "DSA-3509", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2016/dsa-3509"}, {"name": "83725", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/83725"}, {"name": "1035122", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1035122"}, {"name": "40086", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/40086/"}, {"name": "SUSE-SU-2016:0854", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"}, {"name": "openSUSE-SU-2016:0790", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html"}, {"name": "SUSE-SU-2016:1146", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"}, {"name": "openSUSE-SU-2016:0835", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"}, {"name": "[ruby-security-ann] 20160229 [CVE-2016-2098] Possible remote code execution vulnerability in Action Pack", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2016-2098", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "SUSE-SU-2016:0867", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html"}, {"name": "SUSE-SU-2016:0967", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"}, {"name": "DSA-3509", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3509"}, {"name": "83725", "refsource": "BID", "url": "http://www.securityfocus.com/bid/83725"}, {"name": "1035122", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1035122"}, {"name": "40086", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/40086/"}, {"name": "SUSE-SU-2016:0854", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"}, {"name": "openSUSE-SU-2016:0790", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html"}, {"name": "SUSE-SU-2016:1146", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"}, {"name": "openSUSE-SU-2016:0835", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"}, {"name": "[ruby-security-ann] 20160229 [CVE-2016-2098] Possible remote code execution vulnerability in Action Pack", "refsource": "MLIST", "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ"}, {"name": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/", "refsource": "CONFIRM", "url": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T23:17:50.698Z"}, "title": "CVE Program Container", "references": [{"name": "SUSE-SU-2016:0867", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html"}, {"name": "SUSE-SU-2016:0967", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"}, {"name": "DSA-3509", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2016/dsa-3509"}, {"name": "83725", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/83725"}, {"name": "1035122", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1035122"}, {"name": "40086", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/40086/"}, {"name": "SUSE-SU-2016:0854", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"}, {"name": "openSUSE-SU-2016:0790", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html"}, {"name": "SUSE-SU-2016:1146", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"}, {"name": "openSUSE-SU-2016:0835", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"}, {"name": "[ruby-security-ann] 20160229 [CVE-2016-2098] Possible remote code execution vulnerability in Action Pack", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2016-2098", "datePublished": "2016-04-07T23:00:00.000Z", "dateReserved": "2016-01-29T00:00:00.000Z", "dateUpdated": "2024-08-05T23:17:50.698Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*", "matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*", "matchCriteriaId": "254884EE-EBA4-45D0-9704-B5CB22569668", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*", "matchCriteriaId": "5C913A56-959D-44F1-BD89-D246C66D1F09", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*", "matchCriteriaId": "5D5BA926-38EE-47BE-9D16-FDCF360A503B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*", "matchCriteriaId": "18EA25F1-279A-4F1A-883D-C064369F592E", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "FD794856-6F30-4ABF-8AE4-720BB75E6F89", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*", "matchCriteriaId": "C583ACDE-55D5-4D2F-838F-BEC5BDCDE3B7", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "767C481D-6616-4CA9-9A9B-C994D9121796", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*", "matchCriteriaId": "CA46B621-125E-497F-B2DE-91C989B25936", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*", "matchCriteriaId": "B3239443-2E19-4540-BA0C-05A27E44CB6C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*", "matchCriteriaId": "104AC9CF-6611-4469-9852-7FDAF4EC7638", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*", "matchCriteriaId": "DC9E1864-B1E5-42C3-B4AF-9A002916B66D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*", "matchCriteriaId": "31AC91AA-6A9A-43B4-B3E9-A66A34B6E612", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*", "matchCriteriaId": "A462C151-982E-4A83-A376-025015F40645", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*", "matchCriteriaId": "578CC013-776B-4868-B448-B7ACAF3AF832", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*", "matchCriteriaId": "C310EA3E-399A-48FD-8DE9-6950E328CF23", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "293B2998-5169-4960-BEC4-21DAC837E32B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "FB42A8E7-D273-4CE2-9182-D831D8089BFA", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "DB757DFD-BF47-4483-A2C0-DF37F7D10989", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "B6C375F2-5027-4B55-9112-C5DD2F787E43", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "EAB8D57F-9849-428C-B8E9-D0A1020728BB", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "B0359DA8-6B41-46C5-AA95-41B1B366DD4A", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*", "matchCriteriaId": "0965BDB6-9644-465C-AA32-9278B2D53197", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*", "matchCriteriaId": "7F6B15CF-37C1-4C9B-8457-4A8C9A480188", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*", "matchCriteriaId": "072EB16D-1325-4869-B156-65E786A834C7", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "847B3C3D-8656-404D-A954-09C159EDC8E2", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*", "matchCriteriaId": "65CA2D50-B33C-4088-BDDF-EB964C9A092C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*", "matchCriteriaId": "CADB5989-5260-4F60-ACF2-BEB6D7F97654", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*", "matchCriteriaId": "509597D0-22E1-4BE8-95AD-C54FE4D15FA4", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*", "matchCriteriaId": "B86E26CB-2376-4EBC-913C-B354E2D6711B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*", "matchCriteriaId": "539C550D-FEDD-415E-95AE-40E1AE2BAF1A", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*", "matchCriteriaId": "D5150753-E86D-4859-A046-97B83EAE2C14", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*", "matchCriteriaId": "59C5B869-74FC-4051-A103-A721332B3CF2", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*", "matchCriteriaId": "F11E9791-7BCE-43E5-A4BA-6449623FE4F9", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*", "matchCriteriaId": "CE521626-2876-455C-9D99-DB74726DC724", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*", "matchCriteriaId": "2DFDD32E-F49E-47F7-B033-B6C3C0E07FC4", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*", "matchCriteriaId": "DCBA26F1-FBBA-444D-9C14-F15AB14A4FC5", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*", "matchCriteriaId": "16D3B0EA-49F7-401A-A1D9-437429D33EAD", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*", "matchCriteriaId": "17EBD8B4-C4D3-44A6-9DC1-89D948F126A1", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*", "matchCriteriaId": "FCB08CD7-E9B9-454F-BAF7-96162D177677", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*", "matchCriteriaId": "0D3DA0B4-E374-4ED4-8C3B-F723C968666F", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*", "matchCriteriaId": "B1730A9A-6810-4470-AE6C-A5356D5BFF43", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "709A19A5-8FD1-4F9C-A38C-F06242A94D68", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "8104482C-E8F5-40A7-8B27-234FEF725FD0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "2CFF8677-EA00-4F7E-BFF9-272482206DB5", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "8D7DF5CD-DA28-492D-B5EE-D252ECCC8D96", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "85435026-9855-4BF4-A436-832628B005FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "56C2308F-A590-47B0-9791-7865D189196F", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "9A266882-DABA-4A4C-88E6-60E993EE0947", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "83F1142C-3BFB-4B72-A033-81E20DB19D02", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "1FA738A1-227B-4665-B65E-666883FFAE96", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*", "matchCriteriaId": "6F00718C-A9E8-4E85-8DA6-33BF11F2DCCE", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*", "matchCriteriaId": "10789A2D-6401-4119-BFBE-2EE4C16216D3", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*", "matchCriteriaId": "70ABD462-7142-4831-8EB6-801EC1D05573", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "81D717DB-7C80-48AA-A774-E291D2E75D6E", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "06B357FB-0307-4EFA-9C5B-3C2CDEA48584", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*", "matchCriteriaId": "E4BD8840-0F1C-49D3-B843-9CFE64948018", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "79D5B492-43F9-470F-BD21-6EFD93E78453", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*", "matchCriteriaId": "4EC1F602-D48C-458A-A063-4050BE3BB25F", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "F6A1C015-56AD-489C-B301-68CF1DBF1BEF", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*", "matchCriteriaId": "FD191625-ACE2-46B6-9AAD-12D682C732C2", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*", "matchCriteriaId": "02C7DB56-267B-4057-A9BA-36D1E58C6282", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "EC163D49-691B-4125-A983-6CF6F6D86DEE", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", "matchCriteriaId": "DBD4FBDC-F05B-4CDD-8928-7122397A7651", "versionEndIncluding": "3.2.22.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.14.1:*:*:*:*:*:*:*", "matchCriteriaId": "91AB2B26-A6F1-44D2-92EB-8078DD6FD63A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method."}, {"lang": "es", "value": "Action Pack en Ruby on Rails en versiones anteriores a 3.2.22.2, 4.x en versiones anteriores a 4.1.14.2 y 4.2.x en versiones anteriores a 4.2.5.2 permite a atacantes remotos ejecutar c\u00f3digo Ruby arbitrario aprovechando el uso no restringido del m\u00e9todo render de una aplicaci\u00f3n."}], "id": "CVE-2016-2098", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-04-07T23:59:06.643", "references": [{"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Vendor Advisory"], "url": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"}, {"source": "secalert@redhat.com", "url": "http://www.debian.org/security/2016/dsa-3509"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/83725"}, {"source": "secalert@redhat.com", "url": "http://www.securitytracker.com/id/1035122"}, {"source": "secalert@redhat.com", "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ"}, {"source": "secalert@redhat.com", "url": "https://www.exploit-db.com/exploits/40086/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2016/dsa-3509"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/83725"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securitytracker.com/id/1035122"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.exploit-db.com/exploits/40086/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Ruby on Rails project for reporting this issue. Upstream acknowledges Tobias Kraze (makandra) and joernchen (Phenoelit) as the original reporters.", "affected_release": [{"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ror40-rubygem-actionpack-1:4.0.2-7.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ror40-rubygem-activerecord-1:4.0.2-6.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ror40-rubygem-activesupport-1:4.0.2-4.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ruby193-rubygem-actionpack-1:3.2.8-16.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ruby193-rubygem-activerecord-1:3.2.8-11.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ruby193-rubygem-activesupport-1:3.2.8-6.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0456", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-actionpack-1:4.1.5-4.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0456", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-actionview-0:4.1.5-5.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ror40-rubygem-actionpack-1:4.0.2-7.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ror40-rubygem-activerecord-1:4.0.2-6.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ror40-rubygem-activesupport-1:4.0.2-4.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ruby193-rubygem-actionpack-1:3.2.8-16.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ruby193-rubygem-activerecord-1:3.2.8-11.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ruby193-rubygem-activesupport-1:3.2.8-6.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0456", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-actionpack-1:4.1.5-4.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0456", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-actionview-0:4.1.5-5.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ror40-rubygem-actionpack-1:4.0.2-7.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ror40-rubygem-activerecord-1:4.0.2-6.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ror40-rubygem-activesupport-1:4.0.2-4.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ruby193-rubygem-actionpack-1:3.2.8-16.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ruby193-rubygem-activerecord-1:3.2.8-11.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ruby193-rubygem-activesupport-1:3.2.8-6.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0456", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-actionpack-1:4.1.5-4.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0456", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-actionview-0:4.1.5-5.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ror40-rubygem-actionpack-1:4.0.2-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ror40-rubygem-activerecord-1:4.0.2-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ror40-rubygem-activesupport-1:4.0.2-4.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ruby193-rubygem-actionpack-1:3.2.8-16.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ruby193-rubygem-activerecord-1:3.2.8-11.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ruby193-rubygem-activesupport-1:3.2.8-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0456", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-actionpack-1:4.1.5-4.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0456", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-actionview-0:4.1.5-5.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ror40-rubygem-actionpack-1:4.0.2-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ror40-rubygem-activerecord-1:4.0.2-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ror40-rubygem-activesupport-1:4.0.2-4.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ruby193-rubygem-actionpack-1:3.2.8-16.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ruby193-rubygem-activerecord-1:3.2.8-11.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ruby193-rubygem-activesupport-1:3.2.8-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0456", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-actionpack-1:4.1.5-4.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0456", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-actionview-0:4.1.5-5.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ror40-rubygem-actionpack-1:4.0.2-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ror40-rubygem-activerecord-1:4.0.2-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ror40-rubygem-activesupport-1:4.0.2-4.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ruby193-rubygem-actionpack-1:3.2.8-16.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ruby193-rubygem-activerecord-1:3.2.8-11.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ruby193-rubygem-activesupport-1:3.2.8-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0456", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-actionpack-1:4.1.5-4.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0456", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-actionview-0:4.1.5-5.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date": "2016-03-15T00:00:00Z"}], "bugzilla": {"description": "rubygem-actionpack: code injection vulnerability in Action View", "id": "1310054", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1310054"}, "csaw": false, "cvss": {"cvss_base_score": "6.8", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "verified"}, "cwe": "CWE-94", "details": ["Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.", "A code injection flaw was found in the way Action View component searched for templates for rendering. If an application passed untrusted input to the 'render' method, a remote, unauthenticated attacker could use this flaw to execute arbitrary code."], "name": "CVE-2016-2098", "package_state": [{"cpe": "cpe:/a:cloudforms_managementengine:5.2", "fix_state": "Affected", "package_name": "ruby193-rubygem-actionpack", "product_name": "CloudForms Management Engine 5.2"}, {"cpe": "cpe:/a:cloudforms_managementengine:5.3", "fix_state": "Affected", "package_name": "ruby193-rubygem-actionpack", "product_name": "CloudForms Management Engine 5.3"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:2", "fix_state": "Not affected", "package_name": "rh-ror42-rubygem-actionview", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Will not fix", "package_name": "ruby193-rubygem-actionpack", "product_name": "Red Hat Subscription Asset Manager"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Will not fix", "package_name": "rubygem-actionpack", "product_name": "Red Hat Subscription Asset Manager"}], "public_date": "2016-02-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-2098\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-2098\nhttps://groups.google.com/forum/#!msg/rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ"], "threat_severity": "Important"}

{}