Moderate severity vulnerability that affects rails

GHSA-fjfg-q662-gm6j · CVE-2007-5379

Published Oct 24, 2017 · Modified May 1, 2025

Description

Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2007-5379
PACKAGE https://github.com/rails/rails
WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2007-5379.yml
WEB https://rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release
WEB https://web.archive.org/web/20090602000500/http://dev.rubyonrails.org/ticket/8453
WEB http://bugs.gentoo.org/show_bug.cgi?id=195315
WEB http://docs.info.apple.com/article.html?artnum=307179
WEB http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html
WEB http://security.gentoo.org/glsa/glsa-200711-17.xml
WEB http://www.us-cert.gov/cas/techalerts/TA07-352A.html
WEB http://www.vupen.com/english/advisories/2007/3508
WEB http://www.vupen.com/english/advisories/2007/4238

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes