VDB
CVE-2016-2098
CVE-2016-2098
PUBLISHED
CVSS 7.5 HIGH
De multiples vulnérabilités ont été corrigées dans <span class="textit">Ruby On Rails</span>. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance et une atteinte à la confidentialité des données.
EPSS 86.67% · 99.4th percentile
Risk Scores
CVSS 2.0
7.5
EPSS Score
86.67%
99.4th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| debian | debian_linux | 8.0 |
| rubyonrails | rails | 4.2.3, 4.2.1, 4.0.6 |
| rubyonrails | ruby_on_rails | 0, 4.1.14.1 |
| Ruby on Rails | Ruby on Rails | |
| RubyGems | actionpack | 4.2.0, 4.0.0, 3.0.0 |
| n/a | n/a | n/a |
Exploit Intelligence
- Proof of concept showing how CVE-2016-2098 leads to remote code execution (github-poc-repo)
- Proof of concept showing how CVE-2016-2098 leads to remote code execution (github-poc-repo)
- Proof of concept showing how CVE-2016-2098 leads to remote code execution (github-poc-repo)
- Proof of concept showing how CVE-2016-2098 leads to remote code execution (github-poc-repo)
- Proof of concept showing how CVE-2016-2098 leads to remote code execution (github-poc-repo)
- Proof of concept showing how CVE-2016-2098 leads to remote code execution (github-poc-repo)
- Proof of concept showing how CVE-2016-2098 leads to remote code execution (github-poc-repo)
- A PoC of CVE-2016-2098 (rails4.2.5.1 / view render) (github-poc-repo)
- A PoC of CVE-2016-2098 (rails4.2.5.1 / view render) (github-poc-repo)
- A PoC of CVE-2016-2098 (rails4.2.5.1 / view render) (github-poc-repo)
…and 254 more exploits
Timeline
- Mar 1, 2016 CVE Published
- Jul 11, 2016 PoC Published
- Jul 11, 2016 PoC Published
- May 29, 2018 PoC Published
- Feb 4, 2022 EPSS Score
- Mar 29, 2022 EPSS Score
- Jul 12, 2022 EPSS Score
- Sep 3, 2022 EPSS Score
- Dec 18, 2022 EPSS Score
- Feb 8, 2023 EPSS Score
- Apr 2, 2023 EPSS Score
- May 25, 2023 EPSS Score
References
- SUSE-SU-2016:0867 vendor-advisory
- SUSE-SU-2016:0967 vendor-advisory
- DSA-3509 vendor-advisory
- 83725 vdb
- 1035122 vdb
- 40086 exploit
- SUSE-SU-2016:0854 vendor-advisory
- openSUSE-SU-2016:0790 vendor-advisory
- SUSE-SU-2016:1146 vendor-advisory
- openSUSE-SU-2016:0835 vendor-advisory
- [ruby-security-ann] 20160229 [CVE-2016-2098] Possible remote code execution vulnerability in Action Pack mailing-list
- http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/ url
- https://nvd.nist.gov/vuln/detail/CVE-2016-2098 advisory
- https://github.com/rails/rails package
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-2098.yml url
- https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q url
- https://web.archive.org/web/20200228015318/http://www.securityfocus.com/bid/83725 url
- https://web.archive.org/web/20210612214217/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ url
- https://web.archive.org/web/20211205173437/https://securitytracker.com/id/1035122 url
- https://www.exploit-db.com/exploits/40086 url
…and 1 more