Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-55193

Опубликовано: 13 авг. 2025
Источник: redhat
CVSS3: 4.3
EPSS Низкий

Описание

Active Record connects classes to relational database tables. Prior to versions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. This issue has been patched in versions 7.1.5.2, 7.2.2.2, and 8.0.2.1.

A flaw was found in activerecord. The find and similar methods may log unescaped identifiers passed as IDs, including ANSI escape codes. An attacker with the ability to directly observe the application's terminal output can view these unescaped sequences. This allows for the injection of ANSI escape codes into the terminal display, leading to visual manipulation of the output.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat 3scale API Management Platform 23scale-amp2/zync-rhel8Fix deferred
Red Hat 3scale API Management Platform 23scale-amp2/zync-rhel9Fix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-150
https://bugzilla.redhat.com/show_bug.cgi?id=2388446activerecord: Active Record ANSI Injection Vulnerability

EPSS

Процентиль: 17%
0.00056
Низкий

4.3 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2025-55193

ubuntu
13 дней назад

Active Record connects classes to relational database tables. Prior to versions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. This issue has been patched in versions 7.1.5.2, 7.2.2.2, and 8.0.2.1.

nvd логотип

CVE-2025-55193

nvd
14 дней назад

Active Record connects classes to relational database tables. Prior to versions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. This issue has been patched in versions 7.1.5.2, 7.2.2.2, and 8.0.2.1.

debian логотип

CVE-2025-55193

debian
14 дней назад

Active Record connects classes to relational database tables. Prior to ...

github логотип

GHSA-76r7-hhxj-r776

github
14 дней назад

Active Record logging vulnerable to ANSI escape injection

EPSS

Процентиль: 17%
0.00056
Низкий

4.3 Medium

CVSS3