Upgrade SLES:15.4 kernel-livepatch-5_14_21-150400_24_158-default to version 1-150400.9.3.1 or higher.

Cross-site Scripting (XSS) in ruby-rack | CVE-2018-16471

Threat Intelligence

0.32% (71^st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cross-site Scripting (XSS) vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-UBUNTU2010-RUBYRACK-1032473
published2 Dec 2018
disclosed13 Nov 2018

Report a new vulnerability Found a mistake?

Introduced: 13 Nov 2018

CVE-2018-16471 (opens in a new tab) CWE-79 (opens in a new tab)

Amendment

The Ubuntu security team deemed this advisory irrelevant for Ubuntu:20.10.

NVD Description

Note: Versions mentioned in the description apply only to the upstream ruby-rack package and not the ruby-rack package as distributed by Ubuntu.

There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the scheme method on Rack::Request. Applications that expect the scheme to be limited to 'http' or 'https' and do not escape the return value could be vulnerable to an XSS attack. Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable.

Cross-site Scripting (XSS) The advisory has been revoked - it doesn't affect any version of package ruby-rack (opens in a new tab)