24 cards
View
Posted about 1 month ago. Visible to the public.

List of CVEs addressed by Rails LTS

This is a list of known CVEs relevant for Rails LTS 2.3+. All CVEs are fixed in all versions of Rails LTS (or may not affect some versions). If a versions of Rails LTS is not mentioned, the fix was already done in an official release Ruby on Rails release, and is therefore also part of Rails LTS.

  • XSS vulnerability in the translate helper method in Ruby on Rails
    • Fixed in 2.3 LTS.
  • Possible XSS Security Vulnerability in SafeBuffer#[]
    • Rails 2.3 with up to date versions of the rails_xss plugin is not affected.
  • CVE-2012-1099
    • Fixed in 2.3 LTS.
  • CVE-2012-2660
    • Rails 2.3 is not affected.
  • CVE-2012-2661
    • Rails 2.3 is not affected.
  • CVE-2012-2694
    • Rails 2.3 is not affected.
  • CVE-2012-2695
    • Fixed in 2.3 LTS.
  • CVE-2012-3424
    • Rails 2.3 is not affected.
  • CVE-2012-3463
    • Rails 2.3 is not affected.
  • CVE-2012-3464
    • Fixed in 2.3 LTS.
  • CVE-2012-3465
    • Fixed in 2.3 LTS.
  • CVE-2012-5664
    • Fixed in 2.3 LTS.
  • CVE-2013-0155
    • Fixed in 2.3 LTS.
  • CVE-2013-0156
    • Fixed in 2.3 LTS.
  • CVE-2013-0276
    • Fixed in 2.3 LTS.
  • CVE-2013-0277
    • Fixed in 2.3 LTS.
  • CVE-2013-1855
    • Fixed in 2.3 LTS.
  • CVE-2013-1856
    • This is not fixed in 2.3 LTS, since Rails LTS does not support jRuby.
  • CVE-2013-1857
    • Fixed in 2.3 LTS.
  • CVE-2013-1854
    • Fixed in 2.3 LTS.
  • CVE-2013-4491
    • Rails 2.3 is not affected.
  • CVE-2013-6414
    • Rails 2.3 is not affected.
  • CVE-2013-6415
    • Fixed in 2.3 LTS.
  • CVE-2013-6417
    • Fixed in 2.3 LTS.
  • CVE-2013-6416
    • Rails 2.3 is not affected.
  • CVE-2014-0080
    • Rails 2.3 is not affected.
  • CVE-2014-0081
    • Fixed in 2.3 LTS.
  • CVE-2014-0082
    • Rails 2.3 is not affected.
  • CVE-2014-0130
    • Fixed in 2.3 LTS.
  • CVE-2014-3482
    • Fixed in 2.3 LTS.
  • CVE-2014-3483
    • Rails 2.3 is not affected.
  • CVE-2014-3514
    • Rails 2.3 is not affected.
  • CVE-2014-7818
    • Fixed in 2.3 LTS.
  • CVE-2014-7829
    • Rails 2.3 is not affected.
  • CVE-2015-1840
    • Rails 2.3 is not affected.
  • CVE-2015-3224
    • Rails 2.3 is not affected.
  • CVE-2015-3226
    • Rails 2.3 is not affected.
  • CVE-2015-3227
    • Fixed in 2.3 LTS.
  • Start of support for Rails 3.2 LTS. Earlier CVEs are all addressed.
  • CVE-2015-7576
    • Rails 2.3 is not affected.
    • Fixed in 3.2 LTS.
  • CVE-2015-7577
    • Rails 2.3 is not affected.
    • Fixed in 3.2 LTS.
  • CVE-2015-7578
    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
  • CVE-2015-7579
    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
  • CVE-2015-7580
    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
  • CVE-2015-7581
    • Rails 2.3 is not affected.
    • Fixed in 3.2 LTS.
  • CVE-2016-0751
    • Fixed in 2.3 LTS.
    • Fixed in 3.2 LTS.
  • CVE-2016-0752
    • Rails 2.3 is not affected.
    • Fixed in 3.2 LTS.
  • CVE-2016-0753
    • Fixed in 2.3 LTS.
    • Fixed in 3.2 LTS.
  • CVE-2016-2097
    • Fixed in 2.3 LTS.
    • Fixed in 3.2 LTS.
  • CVE-2016-2098
    • Fixed in 2.3 LTS.
    • Fixed in 3.2 LTS.
  • CVE-2016-6316
    • Rails 2.3 is not affected. A variant of this is fixed in 2.3 LTS.
    • Fixed in 3.2 LTS.
  • CVE-2016-6317
    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
  • CVE-2018-8048
    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
  • CVE-2018-3760
    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
  • CVE-2018-16468
    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
  • CVE-2018-16471
    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
  • Start of support for Rails 4.2 LTS. Earlier CVEs are all addressed.
  • CVE-2018-16476
    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
    • Fixed in 4.2 LTS.
  • CVE-2018-16477
    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
    • Rails 4.2 is not affected.
  • CVE-2019-5418
    • Fixed in 2.3 LTS.
    • Fixed in 3.2 LTS.
    • Fixed in 4.2 LTS.
  • CVE-2019-5419
    • Fixed in 2.3 LTS.
    • Fixed in 3.2 LTS.
    • Fixed in 4.2 LTS.
  • CVE-2019-5420
    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
    • Rails 4.2 is not affected.
  • CVE-2019-16782
  • CVE-2020-5267
    • Fixed in Rails 2.3 LTS.
    • Fixed in Rails 3.2 LTS.
    • Fixed in Rails 4.2 LTS.
  • CVE-2020-10663
    • Vulnerability is not part of Rails LTS. We advise users to upgrade to json 2.3.0 or later.
    • For users who are unable to upgrade we have released a workaround that will patch your json gem against this vulnerability.

Owner of this card:

Avatar
Tobias Kraze
Last edit:
9 days ago
by Henning Koch
This website uses cookies to improve usability and analyze traffic.
Accept or learn more