Ruby on Rails contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to access or modify sensitive information, bypass security restrictions, conduct cross-site scripting (XSS) attacks, or cause a denial of service (DoS) condition.
This update addresses nine vulnerabilities. The vulnerabilities are due to insufficient validation of user-supplied input on a targeted system. An attacker could exploit these vulnerabilities by passing crafted requests to a targeted system. An attacker could also exploit a timing flaw in the affected software to attempt to guess the username and password of applications that utilize the affected software.
In addition, this update addresses three vulnerabilities in the rails-html-sanitizer
component of the affected software. Those vulnerabilities could be leveraged to conduct XSS attacks due to improper filtering of user-supplied input.
The following Ruby on Rails products are affected:
- Rails versions prior to 188.8.131.52
- Rails versions prior to 184.108.40.206
- Rails versions prior to 220.127.116.11
- rails-html-sanitizer versions prior to 1.0.3
Rubyonrails.org has confirmed these vulnerabilities at the following link: Rails
Rubyonrails.org has released software updates at the following links:
FreeBSD has released a VuXML document at the following link: rails -- multiple vulnerabilities
FreeBSD releases ports collection updates at the following link: Ports Collection Index
Red Hat has released multiple CVE statements and a security advisories for multiple bugs at the following links: RHSA-2016:0296, RHSA-2016-0455 and RHSA-2016-0454
Red Hat has released updated software for registered subscribers at the following link: Red Hat Network. Red Hat packages can be updated on Red Hat Enterprise Linux versions 5 and later using the yum tool.
Administrators are advised to apply the appropriate updates.
For additional information about cross-site scripting attacks and the methods used to exploit these vulnerabilities, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors
Administrators are advised to monitor affected systems.