CVE-2016-2098: Input Validation
First published: Thu Apr 07 2016(Updated: )
Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Debian | =8.0 | |
| Ruby on Rails | =4.0.0 | |
| Ruby on Rails | =4.0.0-beta | |
| Ruby on Rails | =4.0.0-rc1 | |
| Ruby on Rails | =4.0.0-rc2 | |
| Ruby on Rails | =4.0.1 | |
| Ruby on Rails | =4.0.1-rc1 | |
| Ruby on Rails | =4.0.1-rc2 | |
| Ruby on Rails | =4.0.1-rc3 | |
| Ruby on Rails | =4.0.1-rc4 | |
| Ruby on Rails | =4.0.2 | |
| Ruby on Rails | =4.0.3 | |
| Ruby on Rails | =4.0.4 | |
| Ruby on Rails | =4.0.4-rc1 | |
| Ruby on Rails | =4.0.5 | |
| Ruby on Rails | =4.0.6 | |
| Ruby on Rails | =4.0.6-rc1 | |
| Ruby on Rails | =4.0.6-rc2 | |
| Ruby on Rails | =4.0.6-rc3 | |
| Ruby on Rails | =4.0.7 | |
| Ruby on Rails | =4.0.8 | |
| Ruby on Rails | =4.0.9 | |
| Ruby on Rails | =4.0.10-rc1 | |
| Ruby on Rails | =4.1.0 | |
| Ruby on Rails | =4.1.0-beta1 | |
| Ruby on Rails | =4.1.0-beta2 | |
| Ruby on Rails | =4.1.0-rc1 | |
| Ruby on Rails | =4.1.0-rc2 | |
| Ruby on Rails | =4.1.1 | |
| Ruby on Rails | =4.1.2 | |
| Ruby on Rails | =4.1.2-rc1 | |
| Ruby on Rails | =4.1.2-rc2 | |
| Ruby on Rails | =4.1.2-rc3 | |
| Ruby on Rails | =4.1.3 | |
| Ruby on Rails | =4.1.4 | |
| Ruby on Rails | =4.1.5 | |
| Ruby on Rails | =4.1.6-rc1 | |
| Ruby on Rails | =4.1.6-rc2 | |
| Ruby on Rails | =4.1.7 | |
| Ruby on Rails | =4.1.7.1 | |
| Ruby on Rails | =4.1.8 | |
| Ruby on Rails | =4.1.9-rc1 | |
| Ruby on Rails | =4.1.10-rc1 | |
| Ruby on Rails | =4.1.10-rc2 | |
| Ruby on Rails | =4.1.10-rc3 | |
| Ruby on Rails | =4.1.10-rc4 | |
| Ruby on Rails | =4.1.12-rc1 | |
| Ruby on Rails | =4.1.13-rc1 | |
| Ruby on Rails | =4.1.14-rc1 | |
| Ruby on Rails | =4.1.14-rc2 | |
| Ruby on Rails | =4.2.0-beta1 | |
| Ruby on Rails | =4.2.0-beta2 | |
| Ruby on Rails | =4.2.0-beta3 | |
| Ruby on Rails | =4.2.0-beta4 | |
| Ruby on Rails | =4.2.0-rc1 | |
| Ruby on Rails | =4.2.0-rc2 | |
| Ruby on Rails | =4.2.0-rc3 | |
| Ruby on Rails | =4.2.1 | |
| Ruby on Rails | =4.2.1-rc1 | |
| Ruby on Rails | =4.2.1-rc2 | |
| Ruby on Rails | =4.2.1-rc3 | |
| Ruby on Rails | =4.2.1-rc4 | |
| Ruby on Rails | =4.2.2 | |
| Ruby on Rails | =4.2.3 | |
| Ruby on Rails | =4.2.3-rc1 | |
| Ruby on Rails | =4.2.4 | |
| Ruby on Rails | =4.2.4-rc1 | |
| Ruby on Rails | =4.2.5 | |
| Ruby on Rails | =4.2.5-rc1 | |
| Ruby on Rails | =4.2.5-rc2 | |
| Ruby on Rails | =4.2.5.1 | |
| Ruby on Rails | <=3.2.22.1 | |
| Ruby on Rails | =4.1.14.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
- http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/
- http://www.debian.org/security/2016/dsa-3509
- http://www.securityfocus.com/bid/83725
- http://www.securitytracker.com/id/1035122
- https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ
- https://www.exploit-db.com/exploits/40086/
Frequently Asked Questions
What is the severity of CVE-2016-2098?
CVE-2016-2098 has a critical severity rating as it allows remote code execution due to improper handling of the render method in Ruby on Rails.
How do I fix CVE-2016-2098?
To fix CVE-2016-2098, update Ruby on Rails to version 3.2.22.2, 4.1.14.2 or later, or 4.2.5.2 or later.
What versions are affected by CVE-2016-2098?
CVE-2016-2098 affects Ruby on Rails versions prior to 3.2.22.2, 4.1.14.2, and 4.2.5.2.
What types of applications are vulnerable to CVE-2016-2098?
Web applications built using vulnerable versions of the Ruby on Rails framework are at risk of CVE-2016-2098.
Does CVE-2016-2098 affect all Ruby on Rails applications?
CVE-2016-2098 specifically affects applications that make unrestricted use of the render method in the affected versions of Ruby on Rails.
- agent/references
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/remedy
- agent/author
- agent/weakness
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/debian
- canonical/debian
- version/debian/8.0
- vendor/rubyonrails
- canonical/ruby on rails
- version/ruby on rails/4.0.0
- version/ruby on rails/4.0.0-beta
- version/ruby on rails/4.0.0-rc1
- version/ruby on rails/4.0.0-rc2
- version/ruby on rails/4.0.1
- version/ruby on rails/4.0.1-rc1
- version/ruby on rails/4.0.1-rc2
- version/ruby on rails/4.0.1-rc3
- version/ruby on rails/4.0.1-rc4
- version/ruby on rails/4.0.2
- version/ruby on rails/4.0.3
- version/ruby on rails/4.0.4
- version/ruby on rails/4.0.4-rc1
- version/ruby on rails/4.0.5
- version/ruby on rails/4.0.6
- version/ruby on rails/4.0.6-rc1
- version/ruby on rails/4.0.6-rc2
- version/ruby on rails/4.0.6-rc3
- version/ruby on rails/4.0.7
- version/ruby on rails/4.0.8
- version/ruby on rails/4.0.9
- version/ruby on rails/4.0.10-rc1
- version/ruby on rails/4.1.0
- version/ruby on rails/4.1.0-beta1
- version/ruby on rails/4.1.0-beta2
- version/ruby on rails/4.1.0-rc1
- version/ruby on rails/4.1.0-rc2
- version/ruby on rails/4.1.1
- version/ruby on rails/4.1.2
- version/ruby on rails/4.1.2-rc1
- version/ruby on rails/4.1.2-rc2
- version/ruby on rails/4.1.2-rc3
- version/ruby on rails/4.1.3
- version/ruby on rails/4.1.4
- version/ruby on rails/4.1.5
- version/ruby on rails/4.1.6-rc1
- version/ruby on rails/4.1.6-rc2
- version/ruby on rails/4.1.7
- version/ruby on rails/4.1.7.1
- version/ruby on rails/4.1.8
- version/ruby on rails/4.1.9-rc1
- version/ruby on rails/4.1.10-rc1
- version/ruby on rails/4.1.10-rc2
- version/ruby on rails/4.1.10-rc3
- version/ruby on rails/4.1.10-rc4
- version/ruby on rails/4.1.12-rc1
- version/ruby on rails/4.1.13-rc1
- version/ruby on rails/4.1.14-rc1
- version/ruby on rails/4.1.14-rc2
- version/ruby on rails/4.2.0-beta1
- version/ruby on rails/4.2.0-beta2
- version/ruby on rails/4.2.0-beta3
- version/ruby on rails/4.2.0-beta4
- version/ruby on rails/4.2.0-rc1
- version/ruby on rails/4.2.0-rc2
- version/ruby on rails/4.2.0-rc3
- version/ruby on rails/4.2.1
- version/ruby on rails/4.2.1-rc1
- version/ruby on rails/4.2.1-rc2
- version/ruby on rails/4.2.1-rc3
- version/ruby on rails/4.2.1-rc4
- version/ruby on rails/4.2.2
- version/ruby on rails/4.2.3
- version/ruby on rails/4.2.3-rc1
- version/ruby on rails/4.2.4
- version/ruby on rails/4.2.4-rc1
- version/ruby on rails/4.2.5
- version/ruby on rails/4.2.5-rc1
- version/ruby on rails/4.2.5-rc2
- version/ruby on rails/4.2.5.1
- version/ruby on rails/3.2.22.1
- version/ruby on rails/4.1.14.1