CVE-2007-5379

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

ails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file.

References

Link	Resource
http://bugs.gentoo.org/show_bug.cgi?id=195315
http://dev.rubyonrails.org/ticket/8453
http://docs.info.apple.com/article.html?artnum=307179
http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html
http://osvdb.org/40717
http://secunia.com/advisories/27657
http://secunia.com/advisories/28136
http://security.gentoo.org/glsa/glsa-200711-17.xml
http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release
http://www.securityfocus.com/bid/26096	Patch
http://www.us-cert.gov/cas/techalerts/TA07-352A.html	US Government Resource
http://www.vupen.com/english/advisories/2007/3508
http://www.vupen.com/english/advisories/2007/4238
http://bugs.gentoo.org/show_bug.cgi?id=195315
http://dev.rubyonrails.org/ticket/8453
http://docs.info.apple.com/article.html?artnum=307179
http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html
http://osvdb.org/40717
http://secunia.com/advisories/27657
http://secunia.com/advisories/28136
http://security.gentoo.org/glsa/glsa-200711-17.xml
http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release
http://www.securityfocus.com/bid/26096	Patch
http://www.us-cert.gov/cas/techalerts/TA07-352A.html	US Government Resource
http://www.vupen.com/english/advisories/2007/3508
http://www.vupen.com/english/advisories/2007/4238

Configurations

Configuration 1 (hide)

cpe:2.3:a:david_hansson:ruby_on_rails:*:*:*:*:*:*:*:*

History

21 Nov 2024, 00:37

Type	Values Removed	Values Added
References	~~() http://bugs.gentoo.org/show_bug.cgi?id=195315 -~~	() http://bugs.gentoo.org/show_bug.cgi?id=195315 -
References	~~() http://dev.rubyonrails.org/ticket/8453 -~~	() http://dev.rubyonrails.org/ticket/8453 -
References	~~() http://docs.info.apple.com/article.html?artnum=307179 -~~	() http://docs.info.apple.com/article.html?artnum=307179 -
References	~~() http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html -~~	() http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html -
References	~~() http://osvdb.org/40717 -~~	() http://osvdb.org/40717 -
References	~~() http://secunia.com/advisories/27657 -~~	() http://secunia.com/advisories/27657 -
References	~~() http://secunia.com/advisories/28136 -~~	() http://secunia.com/advisories/28136 -
References	~~() http://security.gentoo.org/glsa/glsa-200711-17.xml -~~	() http://security.gentoo.org/glsa/glsa-200711-17.xml -
References	~~() http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release -~~	() http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release -
References	~~() http://www.securityfocus.com/bid/26096 - Patch~~	() http://www.securityfocus.com/bid/26096 - Patch
References	~~() http://www.us-cert.gov/cas/techalerts/TA07-352A.html - US Government Resource~~	() http://www.us-cert.gov/cas/techalerts/TA07-352A.html - US Government Resource
References	~~() http://www.vupen.com/english/advisories/2007/3508 -~~	() http://www.vupen.com/english/advisories/2007/3508 -
References	~~() http://www.vupen.com/english/advisories/2007/4238 -~~	() http://www.vupen.com/english/advisories/2007/4238 -

Information

Published : 2007-10-19 23:17

Updated : 2025-04-09 00:30

NVD link : CVE-2007-5379

Mitre link : CVE-2007-5379

CVE.ORG link : CVE-2007-5379

JSON object : View

Products Affected

david_hansson

ruby_on_rails

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

5.0 /10