CVE-2011-0449 – actionpack

Package

Manager: gem
Name: actionpack
Vulnerable Version: >=3.0.0 <3.0.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00555 pctl0.67137

Details

actionpack allows remote attackers to bypass intended access restrictions `actionpack/lib/action_view/template/resolver.rb` in Ruby on Rails 3.0.x before 3.0.4, when a case-insensitive filesystem is used, does not properly implement filters associated with the list of available templates, which allows remote attackers to bypass intended access restrictions via an action name that uses an unintended case for alphabetic characters.

Metadata

Created: 2017-10-24T18:33:38Z
Modified: 2023-05-12T15:23:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-4ww3-3rxj-8v6q/GHSA-4ww3-3rxj-8v6q.json
CWE IDs: []
Alternative ID: GHSA-4ww3-3rxj-8v6q
Finding: F113
Auto approve: 1