CVE-2006-4112 — Rails Denial of Service vulnerability

Description

Unspecified vulnerability in the "dependency resolution mechanism" in Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby code via a URL that is not properly handled in the routing code, which leads to a denial of service (application hang) or "data loss," a different vulnerability than CVE-2006-4111.

How to fix CVE-2006-4112

To remediate CVE-2006-4112, upgrade the affected package to a fixed version below.

Debian/rails—upgrade to 1.1.6-1 or later
RubyGems/rails—upgrade to 1.1.6 or later

Is CVE-2006-4112 being exploited?

Low — EPSS is 2.9%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1.1.6-1
>= 1.1.0, < 1.1.6

References (12)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2006-4112
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2006-4112
PATCHgithub.com/rails/rails
WEBexchange.xforce.ibmcloud.com/vulnerabilities/28364
WEB