Vulnerability CVE-2012-3464 - CERT Civis.Net

Vulnerability Name:

CVE-2012-3464 (CCN-77571)

Assigned:

2012-08-09

Published:

2012-08-09

Updated:

2019-08-08

Summary:

Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2012-3464

Source: CCN
Type: RHSA-2012-1542
Moderate: CloudForms Commons 1.1 security update

Source: CCN
Type: RHSA-2013-0154
Critical: Ruby on Rails security update

Source: REDHAT
Type: UNKNOWN
RHSA-2013:0154

Source: CCN
Type: RHSA-2013-0582
Moderate: Red Hat OpenShift Enterprise 1.1.1 update

Source: CCN
Type: SA50128
Ruby on Rails Three Cross-Site Scripting Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
50694

Source: CCN
Type: Ruby on Rails Web Site
Rails 3.2.8 has been released!

Source: CONFIRM
Type: Vendor Advisory
http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/

Source: DEBIAN
Type: DSA-2655
rails -- several vulnerabilities

Source: CCN
Type: OSVDB ID: 84516
Ruby on Rails HTML Escaping Code XSS

Source: CCN
Type: BID-54958
Ruby on Rails CVE-2012-3464 Cross Site Scripting Vulnerability

Source: XF
Type: UNKNOWN
rubyonrails-html-code-xss(77571)

Source: MLIST
Type: UNKNOWN
[rubyonrails-security] 20120810 Potential XSS Vulnerability in Ruby on Rails

Vulnerable Configuration:

Configuration 1:

cpe:/a:rubyonrails:rails:0.9.1:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:0.9.2:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:0.9.3:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:0.9.4:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:0.9.4.1:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:0.10.1:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:0.11.0:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:0.11.1:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:0.12.0:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:0.12.1:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:0.13.0:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:0.13.1:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:0.14.1:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:0.14.2:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:0.14.3:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:0.14.4:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:1.0.0:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:1.1.0:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:1.1.2:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:1.1.3:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:1.1.4:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:1.1.5:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:1.1.6:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:1.2.0:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:1.2.1:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:1.2.2:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:1.2.3:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:1.2.4:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:1.2.5:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:1.2.6:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:1.9.5:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:2.0.0:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:2.1.0:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:2.3.9:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.1:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.2:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:ruby_on_rails:0.5.0:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:ruby_on_rails:0.5.5:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:ruby_on_rails:0.5.6:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:ruby_on_rails:0.5.7:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:ruby_on_rails:0.6.0:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:ruby_on_rails:0.6.5:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:ruby_on_rails:0.7.0:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:ruby_on_rails:0.8.0:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:ruby_on_rails:0.8.5:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:ruby_on_rails:0.9.0:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.4:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:* (Version <= 3.0.16)

Configuration 2:

cpe:/a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*

Configuration 3:

cpe:/a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:26217	P	Security update for java-1_7_1-ibm (Moderate) (in QA)	2022-01-04
oval:org.opensuse.security:def:26218	P	Security update for java-1_8_0-ibm (Important) (in QA)	2022-01-04
oval:org.opensuse.security:def:26181	P	Security update for mozilla-nss (Important)	2021-12-06
oval:org.opensuse.security:def:20123464	V	CVE-2012-3464	2021-10-24
oval:org.opensuse.security:def:26117	P	Security update for xen (Important)	2021-09-02
oval:org.opensuse.security:def:26106	P	Security update for libmspack (Moderate)	2021-08-17
oval:org.opensuse.security:def:26105	P	Security update for MozillaFirefox (Important)	2021-08-17
oval:org.opensuse.security:def:36556	P	rubygem-actionpack-3_2-3.2.12-0.19.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:29361	P	Security update for the Linux Kernel (Important)	2021-05-17
oval:org.opensuse.security:def:26390	P	Security update for ark (Low)	2020-12-01
oval:org.opensuse.security:def:27915	P	Security update for xorg-x11-libs	2020-12-01
oval:org.opensuse.security:def:26993	P	mutt on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26823	P	star on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28486	P	Security update for curl (Moderate)	2020-12-01
oval:org.opensuse.security:def:26559	P	gpg2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26309	P	Security update for haproxy (Important)	2020-12-01
oval:org.opensuse.security:def:29325	P	Security update for compat-openssl097g (Moderate)	2020-12-01
oval:org.opensuse.security:def:27904	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:26949	P	libfreebl3 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26784	P	mono-core on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28334	P	Security update for php53 (Important)	2020-12-01
oval:org.opensuse.security:def:26502	P	Security update for chromium (Important)	2020-12-01
oval:org.opensuse.security:def:28687	P	Security update for flash-player (Moderate)	2020-12-01
oval:org.opensuse.security:def:27903	P	Security update for Xen	2020-12-01
oval:org.opensuse.security:def:26935	P	lcms on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26735	P	libMagickCore1-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28250	P	Security update for libxml2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:26421	P	Security update for hdf5 (Important)	2020-12-01
oval:org.opensuse.security:def:27554	P	rubygem-actionpack-3_2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28643	P	Security update for cabextract	2020-12-01
oval:org.opensuse.security:def:26896	P	foomatic-filters on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26682	P	cyrus-imapd on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28193	P	Security update for libcares2 (Low)	2020-12-01
oval:org.opensuse.security:def:26293	P	Security update for raptor (Important)	2020-12-01
oval:org.opensuse.security:def:27519	P	nagios on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28627	P	Security update for MozillaFirefox (Critical)	2020-12-01
oval:org.opensuse.security:def:26847	P	yast2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26531	P	coolkey on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28109	P	Security update for glibc (Important)	2020-12-01
oval:org.opensuse.security:def:27666	P	Security update for rubygem-activesupport-2_3	2020-12-01
oval:org.opensuse.security:def:26229	P	Security update for xawtv (Moderate)	2020-12-01
oval:org.opensuse.security:def:26881	P	dbus-1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28588	P	Security update for Mozilla NSS	2020-12-01
oval:org.opensuse.security:def:26794	P	openvpn on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26447	P	Security update for pdns (Important)	2020-12-01
oval:org.opensuse.security:def:27979	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:27631	P	Security update for Samba	2020-12-01
oval:org.opensuse.security:def:26837	P	vte on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28539	P	Security update for CUPS	2020-12-01
oval:org.opensuse.security:def:26643	P	systemtap on GA media (Moderate)	2020-12-01
oval:org.mitre.oval:def:17839	P	DSA-2655-1 rails - several	2014-06-23
oval:com.ubuntu.precise:def:20123464000	V	CVE-2012-3464 on Ubuntu 12.04 LTS (precise) - medium.	2012-08-10
oval:com.ubuntu.trusty:def:20123464000	V	CVE-2012-3464 on Ubuntu 14.04 LTS (trusty) - medium.	2012-08-10
oval:com.ubuntu.xenial:def:201234640000000	V	CVE-2012-3464 on Ubuntu 16.04 LTS (xenial) - medium.	2012-08-10
oval:com.ubuntu.xenial:def:20123464000	V	CVE-2012-3464 on Ubuntu 16.04 LTS (xenial) - medium.	2012-08-10