CVE-2016-2098
high
CVSS v3
7.3
CVSS v2
7.5
VIR risk
8.3
Description
Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.
Predictions
Exploit likelihood
100%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2016-2098
Vendor advisory: secalert@redhat.com — http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/
Exploits
Exploit-DB
- EDB-40086 · remote · ruby
Metasploit modules
- exploit_multi/http/rails_actionpack_inline_exec · rank 600 · Ruby on Rails ActionPack Inline ERB Code Execution
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | 8.0 | affected | |
| debian | bookworm | fixed | 2:4.2.5.2-1 |
| debian | bullseye | fixed | 2:4.2.5.2-1 |
| debian | forky | fixed | 2:4.2.5.2-1 |
| debian | sid | fixed | 2:4.2.5.2-1 |
| debian | trixie | fixed | 2:4.2.5.2-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| RubyGems | actionpack | !>= 5.0.0.beta1||<~> 3.2.22.2 | ~> 3.2.22.2 |
| RubyGems | actionpack | >=3.0.0,<3.2.22.2 | 3.2.22.2 |
| RubyGems | actionpack | >=4.0.0,<4.1.14.2 | 4.1.14.2 |
| RubyGems | actionpack | >=4.2.0,<4.2.5.2 | 4.2.5.2 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| rubyonrails | rails | 4.0.0 | |
| rubyonrails | rails | 4.0.1 | |
| rubyonrails | rails | 4.0.2 | |
| rubyonrails | rails | 4.0.3 | |
| rubyonrails | rails | 4.0.4 | |
| rubyonrails | rails | 4.0.5 | |
| rubyonrails | rails | 4.0.6 | |
| rubyonrails | rails | 4.0.7 | |
| rubyonrails | rails | 4.0.8 | |
| rubyonrails | rails | 4.0.9 | |
| rubyonrails | rails | 4.0.10 | |
| rubyonrails | rails | 4.1.0 | |
| rubyonrails | rails | 4.1.1 | |
| rubyonrails | rails | 4.1.2 | |
| rubyonrails | rails | 4.1.3 | |
| rubyonrails | rails | 4.1.4 | |
| rubyonrails | rails | 4.1.5 | |
| rubyonrails | rails | 4.1.6 | |
| rubyonrails | rails | 4.1.7 | |
| rubyonrails | rails | 4.1.7.1 | |
| rubyonrails | rails | 4.1.8 | |
| rubyonrails | rails | 4.1.9 | |
| rubyonrails | rails | 4.1.10 | |
| rubyonrails | rails | 4.1.12 | |
| rubyonrails | rails | 4.1.13 | |
| rubyonrails | rails | 4.1.14 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.2 | |
| rubyonrails | rails | 4.2.3 | |
| rubyonrails | rails | 4.2.4 | |
| rubyonrails | rails | 4.2.5 | |
| rubyonrails | rails | 4.2.5.1 | |
| rubyonrails | ruby_on_rails | {"endIncluding":"3.2.22.1"} | |
| rubyonrails | ruby_on_rails | 4.1.14.1 | |
References
- https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
- http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/
- http://www.debian.org/security/2016/dsa-3509
- http://www.securityfocus.com/bid/83725
- http://www.securitytracker.com/id/1035122
- https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ
- https://www.exploit-db.com/exploits/40086/
- https://nvd.nist.gov/vuln/detail/CVE-2016-2098
- https://github.com/rails/rails
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-2098.yml
- https://web.archive.org/web/20200228015318/http://www.securityfocus.com/bid/83725
- https://web.archive.org/web/20210612214217/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ
- https://web.archive.org/web/20211205173437/https://securitytracker.com/id/1035122
- https://www.exploit-db.com/exploits/40086
- http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released
- https://security-tracker.debian.org/tracker/CVE-2016-2098
CWEs
CWE-20
Verify integrity in audit chain (admin only). AS-IS.