CVE-2007-5379 – rails

Package

Manager: gem
Name: rails
Vulnerable Version: >=0 <1.2.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.10003 pctl0.92769

Details

Moderate severity vulnerability that affects rails Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file.

Metadata

Created: 2017-10-24T18:33:38Z
Modified: 2025-05-01T18:12:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-fjfg-q662-gm6j/GHSA-fjfg-q662-gm6j.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-fjfg-q662-gm6j
Finding: F308
Auto approve: 1