CVE-2007-5379 — Moderate severity vulnerability that affects rails

Description

Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file.

How to fix CVE-2007-5379

To remediate CVE-2007-5379, upgrade the affected package to a fixed version below.

Debian/rails—upgrade to 1.2.5-1 or later
RubyGems/rails—upgrade to 1.2.4 or later

Is CVE-2007-5379 being exploited?

Moderate — EPSS is 6.8%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 1.2.5-1
from 0, < 1.2.4

References (13)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2007-5379
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2007-5379
PATCHgithub.com/rails/rails
WEBbugs.gentoo.org/show_bug.cgi?id=195315
WEBdocs.info.apple.com