vendor:
Ruby on Rails
by:
Unknown
8.1
CVSS
HIGH
Log File Injection
117
CWE
Product Name: Ruby on Rails
Affected Version From: Ruby on Rails 3.0.5
Affected Version To: Unknown
Patch Exists: NO
Related CWE:
CPE: a:rubyonrails:ruby_on_rails:3.0.5
Platforms Tested:
2011
Log-File-Injection – Ruby on Rails 3.05
The vulnerability allows attackers to inject arbitrary content into the 'X-Forwarded-For', 'X-Forwarded-Host' and 'X-Forwarded-Server' HTTP headers because the 'WEBrick::HTTPRequest' module fails to sufficiently sanitize input. By inserting arbitrary data into the affected HTTP header field, attackers may be able to launch cross-site request-forgery, cross-site scripting, HTML-injection, and other attacks.
Mitigation:
Validate request.remote_ip until the issue is fixed.