CVE-2016-2098 — actionpack allows remote code execution via application's unrestricted use of re

Description

Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.

How to fix CVE-2016-2098

To remediate CVE-2016-2098, upgrade the affected package to a fixed version below.

Debian/rails—upgrade to 2:4.2.5.2-1 or later
—upgrade to 3.2.22.2 or later

Is CVE-2016-2098 being exploited?

Likely — EPSS is 86.7%, placing CVE-2016-2098 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (2)

from 0, < 2:4.2.5.2-1
>= 3.0.0, < 3.2.22.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References (17)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-2098
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2016-2098
PATCHgithub.com/rails/rails
WEBlists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html
WEB