Arbitrary View Rendering Affecting actionpack package, versions >=3.0.0, <3.0.10 >=3.1.0.beta1, <3.1.0.rc6
Snyk CVSS
Attack Complexity
Low
Threat Intelligence
EPSS
0.76% (81st
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-ACTIONPACK-20279
- published 28 Feb 2017
- disclosed 16 Aug 2011
- credit Jan M. Faber
Introduced: 16 Aug 2011
CVE-2011-2929 Open this link in a new tabOverview
actionpack is a web app builder and tester on Rails.
The template selection code contains a vulnerability which allows an attacker to craft a URL and cause Rails to render an arbitrary view, regardless of if they have permissions to view the template. This only affects 3.0 applications which use :action in their routes.