Detections
Analytics
Debian DSA-2247-1 : rails - several vulnerabilities
medium Nessus Plugin ID 55035
Language:
Synopsis
The remote Debian host is missing a security-related update.Description
Several vulnerabilities have been discovered in Rails, the Ruby web application framework. The Common Vulnerabilities and Exposures project identifies the following problems :- CVE-2011-0446 Multiple cross-site scripting (XSS) vulnerabilities when JavaScript encoding is used, allow remote attackers to inject arbitrary web script or HTML.
- CVE-2011-0447 Rails does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks.
Solution
Upgrade the rails packages.For the oldstable distribution (lenny), this problem has been fixed in version 2.1.0-7+lenny0.1.
For the stable distribution (squeeze), this problem has been fixed in version 2.3.5-1.2+squeeze0.1.
See Also
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614864
https://security-tracker.debian.org/tracker/CVE-2011-0446
https://security-tracker.debian.org/tracker/CVE-2011-0447
Plugin Details
Severity: Medium
ID: 55035
File Name: debian_DSA-2247.nasl
Version: 1.12
Type: local
Agent: unix
Family: Debian Local Security Checks
Published: 6/10/2011
Updated: 1/4/2021
Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: Medium
Base Score: 6.8
Temporal Score: 5
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P
Vulnerability Information
CPE: p-cpe:/a:debian:debian_linux:rails, cpe:/o:debian:debian_linux:5.0, cpe:/o:debian:debian_linux:6.0
Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l
Exploit Ease: No known exploits are available
Patch Publication Date: 5/31/2011
Reference Information
CVE: CVE-2011-0446, CVE-2011-0447
BID: 46291
DSA: 2247