Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2018-16471

Опубликовано: 13 нояб. 2018
Источник: debian
EPSS Низкий

Описание

There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to 'http' or 'https' and do not escape the return value could be vulnerable to an XSS attack. Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
ruby-rackfixed1.6.4-6package
ruby-rackfixed1.6.4-4+deb9u1stretchpackage

Примечания

  • Fixed by: https://github.com/rack/rack/commit/e5d58031b766e49687157b45edab1b8457d972bd (master)

  • Fixed by: https://github.com/rack/rack/commit/313dd6a05a5924ed6c82072299c53fed09e39ae7 (2.0.6)

  • Fixed by: https://github.com/rack/rack/commit/97ca63d87d88b4088fb1995b14103d4fe6a5e594 (1.6.11)

EPSS

Процентиль: 38%
0.00168
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2018-16471

CVSS3: 6.1
ubuntu
около 7 лет назад

There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to 'http' or 'https' and do not escape the return value could be vulnerable to an XSS attack. Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable.

redhat логотип

CVE-2018-16471

CVSS3: 6.1
redhat
больше 7 лет назад

There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to 'http' or 'https' and do not escape the return value could be vulnerable to an XSS attack. Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable.

nvd логотип

CVE-2018-16471

CVSS3: 6.1
nvd
около 7 лет назад

There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to 'http' or 'https' and do not escape the return value could be vulnerable to an XSS attack. Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable.

suse-cvrf логотип

openSUSE-SU-2019:1553-1

suse-cvrf
больше 6 лет назад

Security update for rubygem-rack

github логотип

GHSA-5r2p-j47h-mhpg

CVSS3: 6.1
github
около 7 лет назад

Rack vulnerable to Cross-site Scripting

EPSS

Процентиль: 38%
0.00168
Низкий