Skip to content

@jfirebaugh /gist:4532291
Last active

Embed URL

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Researchers investigating the Rails parameter parsing vulnerability discovered that the same or similar vulnerable code had made its way into multiple other libraries. If your application uses these libraries to process untrusted data, it may still be vulnerable even if you have upgraded Rails. Check your Gemfile and Gemfile.lock for vulnerable versions of the following libraries.

Directly vulnerable libraries

rails

Vulnerable: <= 3.2.10, <= 3.1.9, <= 3.0.18, <= 2.3.14

Fixed: 3.2.11, 3.1.10, 3.0.19, 2.3.15

multi_xml

Vulnerable: <= 0.5.1

Fixed: 0.5.2

httparty

Vulnerable: <= 0.9.0

Fixed: 0.10.0

extlib

Vulnerable: <= 0.9.15

Fixed: 0.9.16

crack

Vulnerable: <= 0.3.1

Fixed: 0.3.2

nori

Vulnerable: <= 2.0.1, <= 1.1.3, <= 1.0.2

Fixed: 2.0.2, 1.1.4, 1.0.3

Libraries with vulnerable dependencies

Not all dependent libraries are listed, only those that have either released a version that explicitly depends on a fixed version of one of the above libraries or otherwise mitigated the security threat.

grape (via multi_xml)

Vulnerable: <= 0.2.4

Fixed: 0.2.5 (workaround)

Fixed: 0.2.6 (updated multi_xml dependency)

chef (via extlib)

Vulnerable: <= 10.16.5

Fixed: 10.16.6 (updated extlib dependency)

@tiegz

The old geokit-rails gems are also vulnerable too, with their controller code. There are 2 main forks from what I can tell, but I don't think either has been fixed yet.

@NARKOZ

globalize3 not affected

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.