CVE-2015-3226 — rails - security update

Description

Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding.

How to fix CVE-2015-3226

To remediate CVE-2015-3226, upgrade the affected package to a fixed version below.

Debian/rails—upgrade to 2:4.2.4-2 or later
Debian/rails—upgrade to 2:4.1.8-1+deb8u1 or later
RubyGems/activesupport—upgrade to 4.1.11 or later

Is CVE-2015-3226 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 2:4.2.4-2
from 0, < 2:4.1.8-1+deb8u1
>= 4.1.0, < 4.1.11

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-3226
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2015-3226
PATCHgithub.com/rails/rails
WEBopenwall.com/lists/oss-security/2015/06/16/17
WEB