24 cards
View
Posted 7 months ago. Visible to the public.

List of CVEs addressed by Rails LTS

This is a list of known CVEs relevant for Rails LTS 2.3+. All CVEs are fixed in all versions of Rails LTS (or may not affect some versions). If a versions of Rails LTS is not mentioned, the fix was already done in an official release Ruby on Rails release, and is therefore also part of Rails LTS.

  • XSS vulnerability in the translate helper method in Ruby on Rails

    • Fixed in 2.3 LTS.
  • Possible XSS Security Vulnerability in SafeBuffer#[]

    • Rails 2.3 with up to date versions of the rails_xss plugin is not affected.
  • CVE-2012-1099

    • Fixed in 2.3 LTS.
  • CVE-2012-2660

    • Rails 2.3 is not affected.
  • CVE-2012-2661

    • Rails 2.3 is not affected.
  • CVE-2012-2694

    • Rails 2.3 is not affected.
  • CVE-2012-2695

    • Fixed in 2.3 LTS.
  • CVE-2012-3424

    • Rails 2.3 is not affected.
  • CVE-2012-3463

    • Rails 2.3 is not affected.
  • CVE-2012-3464

    • Fixed in 2.3 LTS.
  • CVE-2012-3465

    • Fixed in 2.3 LTS.
  • CVE-2012-5664

    • Fixed in 2.3 LTS.
  • CVE-2013-0155

    • Fixed in 2.3 LTS.
  • CVE-2013-0156

    • Fixed in 2.3 LTS.
  • CVE-2013-0276

    • Fixed in 2.3 LTS.
  • CVE-2013-0277

    • Fixed in 2.3 LTS.
  • CVE-2013-1855

    • Fixed in 2.3 LTS.
  • CVE-2013-1856

    • This is not fixed in 2.3 LTS, since Rails LTS does not support jRuby.
  • CVE-2013-1857

    • Fixed in 2.3 LTS.
  • CVE-2013-1854

    • Fixed in 2.3 LTS.
  • CVE-2013-4491

    • Rails 2.3 is not affected.
  • CVE-2013-6414

    • Rails 2.3 is not affected.
  • CVE-2013-6415

    • Fixed in 2.3 LTS.
  • CVE-2013-6417

    • Fixed in 2.3 LTS.
  • CVE-2013-6416

    • Rails 2.3 is not affected.
  • CVE-2014-0080

    • Rails 2.3 is not affected.
  • CVE-2014-0081

    • Fixed in 2.3 LTS.
  • CVE-2014-0082

    • Rails 2.3 is not affected.
  • CVE-2014-0130

    • Fixed in 2.3 LTS.
  • CVE-2014-3482

    • Fixed in 2.3 LTS.
  • CVE-2014-3483

    • Rails 2.3 is not affected.
  • CVE-2014-3514

    • Rails 2.3 is not affected.
  • CVE-2014-7818

    • Fixed in 2.3 LTS.
  • CVE-2014-7829

    • Rails 2.3 is not affected.
  • CVE-2015-1840

    • Rails 2.3 is not affected.
  • CVE-2015-3224

    • Rails 2.3 is not affected.
  • CVE-2015-3226

    • Rails 2.3 is not affected.
  • CVE-2015-3227

    • Fixed in 2.3 LTS.
  • Start of support for Rails 3.2 LTS. Earlier CVEs are all addressed.

  • CVE-2015-7576

    • Rails 2.3 is not affected.
    • Fixed in 3.2 LTS.
  • CVE-2015-7577

    • Rails 2.3 is not affected.
    • Fixed in 3.2 LTS.
  • CVE-2015-7578

    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
  • CVE-2015-7579

    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
  • CVE-2015-7580

    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
  • CVE-2015-7581

    • Rails 2.3 is not affected.
    • Fixed in 3.2 LTS.
  • CVE-2016-0751

    • Fixed in 2.3 LTS.
    • Fixed in 3.2 LTS.
  • CVE-2016-0752

    • Rails 2.3 is not affected.
    • Fixed in 3.2 LTS.
  • CVE-2016-0753

    • Fixed in 2.3 LTS.
    • Fixed in 3.2 LTS.
  • CVE-2016-2097

    • Fixed in 2.3 LTS.
    • Fixed in 3.2 LTS.
  • CVE-2016-2098

    • Fixed in 2.3 LTS.
    • Fixed in 3.2 LTS.
  • CVE-2016-6316

    • Rails 2.3 is not affected. A variant of this is fixed in 2.3 LTS.
    • Fixed in 3.2 LTS.
  • CVE-2016-6317

    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
  • CVE-2018-8048

    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
  • CVE-2018-3760

    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
  • CVE-2018-16468

    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
  • CVE-2018-16471

    • Vulnerability is not part of Rails LTS. We have forked rack with a fix.
  • Start of support for Rails 4.2 LTS. Earlier CVEs are all addressed.

  • CVE-2018-16476

    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
    • Fixed in 4.2 LTS.
  • CVE-2018-16477

    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
    • Rails 4.2 is not affected.
  • CVE-2019-5418

    • Fixed in 2.3 LTS.
    • Fixed in 3.2 LTS.
    • Fixed in 4.2 LTS.
  • CVE-2019-5419

    • Fixed in 2.3 LTS.
    • Fixed in 3.2 LTS.
    • Fixed in 4.2 LTS.
  • CVE-2019-5420

    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
    • Rails 4.2 is not affected.
  • CVE-2019-16782

  • CVE-2020-5267

    • Fixed in Rails 2.3 LTS.
    • Fixed in Rails 3.2 LTS.
    • Fixed in Rails 4.2 LTS.
  • CVE-2020-10663

    • Vulnerability is not part of Rails LTS. We advise users to upgrade to json 2.3.0 or later.
    • For users who are unable to upgrade we have released a workaround that will patch your json gem against this vulnerability.
  • CVE-2020-8151

    • Fixed in Rails 2.3 LTS.
    • Fixed in Rails 3.2 LTS.
    • Vulnerability is not part of Rails 4.2 LTS. We have forked activeresource with a fix.
  • CVE-2020-8159

  • CVE-2020-8161

    • Vulnerability is not part of Rails LTS. We have forked rack with a fix.
  • CVE-2020-8162

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
  • CVE-2020-8163

    • Fixed in Rails 2.3 LTS.
    • Fixed in Rails 3.2 LTS.
    • Fixed in Rails 4.2 LTS.
  • CVE-2020-8164

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
  • CVE-2020-8165

  • CVE-2020-8166

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
  • CVE-2020-8167

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
  • CVE-2020-8184

    • Vulnerability is not part of Rails LTS. We backported the patch to our forked rack.
  • CVE-2020-15169

    • Fixed in Rails 2.3 LTS.
    • Fixed in Rails 3.2 LTS.
    • Fixed in Rails 4.2 LTS.

Owner of this card:

Avatar
Tobias Kraze
Last edit:
15 days ago
by Arne Hartherz
This website uses short-lived cookies to improve usability.
Accept or learn more