209 List of CVEs addressed by Rails LTS

Updated . Posted . Visible to the public.

This is a list of known CVEs relevant for Rails LTS 2.3+. All CVEs are fixed in all versions of Rails LTS (or may not affect some versions). If a versions of Rails LTS is not mentioned, the fix was already done in an official release Ruby on Rails release, and is therefore also part of Rails LTS.

  • XSS vulnerability in the translate helper method in Ruby on Rails

    • Fixed in 2.3 LTS.
  • Possible XSS Security Vulnerability in SafeBuffer#[]

    • Rails 2.3 with up to date versions of the rails_xss plugin is not affected.
  • CVE-2012-1099

    • Fixed in 2.3 LTS.
  • CVE-2012-2660

    • Rails 2.3 is not affected.
  • CVE-2012-2661

    • Rails 2.3 is not affected.
  • CVE-2012-2694

    • Rails 2.3 is not affected.
  • CVE-2012-2695

    • Fixed in 2.3 LTS.
  • CVE-2012-3424

    • Rails 2.3 is not affected.
  • CVE-2012-3463

    • Rails 2.3 is not affected.
  • CVE-2012-3464

    • Fixed in 2.3 LTS.
  • CVE-2012-3465

    • Fixed in 2.3 LTS.
  • CVE-2012-5664 (a.k.a. CVE-2012-6496)

    • Fixed in 2.3 LTS.
  • CVE-2013-0155

    • Fixed in 2.3 LTS.
  • CVE-2013-0156

    • Fixed in 2.3 LTS.
  • CVE-2013-0276

    • Fixed in 2.3 LTS.
  • CVE-2013-0277

    • Fixed in 2.3 LTS.
  • CVE-2013-1855

    • Fixed in 2.3 LTS.
  • CVE-2013-1856

    • This is not fixed in 2.3 LTS, since Rails LTS does not support jRuby.
  • CVE-2013-1857

    • Fixed in 2.3 LTS.
  • CVE-2013-1854

    • Fixed in 2.3 LTS.
  • CVE-2013-3221

  • CVE-2013-4491

    • Rails 2.3 is not affected.
  • CVE-2013-6414

    • Rails 2.3 is not affected.
  • CVE-2013-6415

    • Fixed in 2.3 LTS.
  • CVE-2013-6417

    • Fixed in 2.3 LTS.
  • CVE-2013-6416

    • Rails 2.3 is not affected.
  • CVE-2014-0080

    • Rails 2.3 is not affected.
  • CVE-2014-0081

    • Fixed in 2.3 LTS.
  • CVE-2014-0082

    • Rails 2.3 is not affected.
  • CVE-2014-0130

    • Fixed in 2.3 LTS.
  • CVE-2014-3482

    • Fixed in 2.3 LTS.
  • CVE-2014-3483

    • Rails 2.3 is not affected.
  • CVE-2014-3514

    • Rails 2.3 is not affected.
  • CVE-2014-7818

    • Fixed in 2.3 LTS.
  • CVE-2014-7829

    • Rails 2.3 is not affected.
  • CVE-2015-1840

    • Rails 2.3 is not affected.
  • CVE-2015-3224

    • Rails 2.3 is not affected.
      use ActionDispatch::Executor
  • CVE-2015-3226

    • Rails 2.3 is not affected.
  • CVE-2015-3227

    • Fixed in 2.3 LTS.
  • Start of support for Rails 3.2 LTS. Earlier CVEs are all addressed.

  • CVE-2015-7576

    • Rails 2.3 is not affected.
    • Fixed in 3.2 LTS.
  • CVE-2015-7577

    • Rails 2.3 is not affected.
    • Fixed in 3.2 LTS.
  • CVE-2015-7578

    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
  • CVE-2015-7579

    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
  • CVE-2015-7580

    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
  • CVE-2015-7581

    • Rails 2.3 is not affected.
    • Fixed in 3.2 LTS.
  • CVE-2016-0751

    • Fixed in 2.3 LTS.
    • Fixed in 3.2 LTS.
  • CVE-2016-0752

    • Rails 2.3 is not affected.
    • Fixed in 3.2 LTS.
  • CVE-2016-0753

    • Fixed in 2.3 LTS.
    • Fixed in 3.2 LTS.
  • CVE-2016-2097

    • Fixed in 2.3 LTS.
    • Fixed in 3.2 LTS.
  • CVE-2016-2098

    • Fixed in 2.3 LTS.
    • Fixed in 3.2 LTS.
  • CVE-2016-6316

    • Rails 2.3 is not affected. A variant of this is fixed in 2.3 LTS.
    • Fixed in 3.2 LTS.
  • CVE-2016-6317

    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
  • CVE-2018-8048

    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
  • CVE-2018-3760

    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
  • CVE-2018-16468

    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
  • CVE-2018-16471

    • Fixed in Rails 2.3 / 3.2 LTS's version of Rack.
  • Start of support for Rails 4.2 LTS. Earlier CVEs are all addressed.

  • CVE-2018-16476

    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
    • Fixed in 4.2 LTS.
  • CVE-2018-16477

    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
    • Rails 4.2 is not affected.
  • CVE-2019-5418

    • Fixed in 2.3 LTS.
    • Fixed in 3.2 LTS.
    • Fixed in 4.2 LTS.
  • CVE-2019-5419

    • Fixed in 2.3 LTS.
    • Fixed in 3.2 LTS.
    • Fixed in 4.2 LTS.
  • CVE-2019-5420

    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
    • Rails 4.2 is not affected.
  • CVE-2019-16782 / CVE-2019-25025

  • CVE-2020-5267

    • Fixed in Rails 2.3 LTS.
    • Fixed in Rails 3.2 LTS.
    • Fixed in Rails 4.2 LTS.
  • CVE-2020-10663

    • Vulnerability is not part of Rails LTS. We advise users to upgrade to json 2.3.0 or later.
    • For users who are unable to upgrade we have released a workaround Show archive.org snapshot that will patch your json gem against this vulnerability.
  • CVE-2020-8130

  • CVE-2020-8151

  • CVE-2020-8159

  • CVE-2020-8161

    • Fixed in the Rails 2.3 / 3.2 LTS's version of Rack.
    • Fixed in the Rails 4.2 LTS's version of Rack.
  • CVE-2020-8162

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
  • CVE-2020-8163

    • Fixed in Rails 2.3 LTS.
    • Fixed in Rails 3.2 LTS.
    • Fixed in Rails 4.2 LTS.
  • CVE-2020-8164

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
  • CVE-2020-8165

  • CVE-2020-8166

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
  • CVE-2020-8167

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
  • CVE-2020-8184

    • Fixed in the Rails 2.3 / 3.2 LTS's version of Rack.
    • Fixed in the Rails 4.2 LTS's version of Rack.
  • CVE-2020-15169

    • Fixed in Rails 2.3 LTS.
    • Fixed in Rails 3.2 LTS.
    • Fixed in Rails 4.2 LTS.
  • CVE-2021-22880

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Fixed in Rails 4.2 LTS.
  • CVE-2021-22881

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
  • CVE-2021-22885

  • CVE-2021-22902

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
  • CVE-2021-22903

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
  • CVE-2021-22904

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Fixed in Rails 4.2 LTS.
  • Start of support for Rails 5.2 LTS. Earlier CVEs are all addressed.

  • CVE-2022-3704

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
    • Fixed in Rails 5.2 LTS.
  • CVE-2022-23633

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
    • Fixed in Rails 5.2 LTS.
  • CVE-2022-21831

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
    • Fixed in Rails 5.2 LTS.
  • CVE-2022-22577

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
    • Fixed in Rails 5.2 LTS.
  • CVE-2022-27777

    • Fixed in Rails 2.3 LTS.
    • Fixed in Rails 3.2 LTS.
    • Fixed in Rails 4.2 LTS.
    • Fixed in Rails 5.2 LTS.
  • CVE-2022-30122

    • Fixed in the Rails 2.3 / 3.2 LTS's version of Rack.
    • Fixed in the Rails 4.2 LTS's version of Rack.
    • The Rails 5.2 LTS's version of Rack is not affected.
  • CVE-2022-30123

    • Fixed in Rails 2.3 / 3.2 LTS's version of Rack.
    • Fixed in Rails 4.2 LTS's version of Rack.
    • The Rails 5.2 LTS's version of Rack is not affected.
  • CVE-2022-31163

    • Vulnerability is part of tzinfo gem.
    • Updated required gem version in Rails 2.3 LTS.
    • Updated required gem version in Rails 3.2 LTS.
    • Updated required gem version in Rails 4.2 LTS.
    • Updated required gem version in Rails 5.2 LTS.
  • CVE-2022-32224

    • Note that this is not a vulnerability in itself, but allows attackers to escalate hypothetical other vulnerabilities ( see details Show archive.org snapshot
    • Fixed in Rails 2.3 LTS for Psych >= 2.0 (which requires Ruby >= 1.9)
    • Fixed in Rails 3.2 LTS for Psych >= 2.0 (which requires Ruby >= 1.9)
    • Fixed in Rails 4.2 LTS.
    • Fixed in Rails 5.2 LTS.
  • CVE-2022-44566

    • Fixed in Rails 2.3 LTS.
    • Fixed in Rails 3.2 LTS.
    • Fixed in Rails 4.2 LTS.
    • Fixed in Rails 5.2 LTS.
  • CVE-2022-44570

    • Fixed in Rails 2.3 / 3.2 LTS's version of Rack.
    • Fixed in Rails 4.2 LTS's version of Rack.
    • Fixed in Rails 5.2 LTS's version of Rack.
  • CVE-2022-44571

    • Fixed in Rails 2.3 / 3.2 LTS's version of Rack.
    • Fixed in Rails 4.2 LTS's version of Rack.
    • Fixed in Rails 5.2 LTS's version of Rack.
  • CVE-2022-44572

    • Does not affect Rails 2.3 / 3.2 LTS's version of Rack.
    • Does not affect Rails 4.2 LTS's version of Rack.
    • Fixed in Rails 5.2 LTS's version of Rack.
  • CVE-2023-22792

    • Rails 2.3 LTS is not affected.
    • Fixed in Rails 3.2 LTS.
    • Fixed in Rails 4.2 LTS.
    • Fixed in Rails 5.2 LTS.
  • CVE-2023-22794

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
    • Rails 5.2 LTS is not affected.
  • CVE-2023-22795

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Fixed in Rails 4.2 LTS.
    • Fixed in Rails 5.2 LTS.
  • CVE-2023-22796

    • Fixed in Rails 2.3 LTS.
    • Fixed in Rails 3.2 LTS.
    • Fixed in Rails 4.2 LTS.
    • Fixed in Rails 5.2 LTS.
  • CVE-2023-22797

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
    • Rails 5.2 LTS is not affected.
  • CVE-2023-22799

    • This affects the globalid gem. Fixed in globalid 1.0.1. Addtionally:
    • Does not affect Rails 2.3 LTS apps.
    • Does not affect Rails 3.2 LTS apps.
    • Rails 4.2 LTS includes a monkey-patch fixing this vulnerability.
    • Rails 5.2 LTS includes a monkey-patch fixing this vulnerability.
  • CVE-2023-23913

    • This affects the jquery-ujs / prototype-ujs / rails-ujs gems / npm packages which are not part of Rails LTS itself. We will try to provide a fix in the future.
    • Rails 2.3 LTS is not affected.
    • Unfixed for Rails 3.2 LTS when using the jquery-rails gem or jquery_ujs npm package.
    • Unfixed for Rails 4.2 LTS when using the jquery-rails gem or jquery_ujs npm package.
    • Fixed for Rails 5.2 LTS when using the bundled rails_ujs using the asset pipeline.
    • Unfixed for Rails 5.2 LTS when using the rails-ujs npm package.
  • CVE-2023-27530

    • Fixed in Rails 2.3 / 3.2 LTS's version of Rack.
    • Fixed in Rails 4.2 LTS's version of Rack.
    • Fixed in Rails 5.2 LTS's version of Rack.
  • CVE-2023-27539

    • Fixed in Rails 2.3 / 3.2 LTS's version of Rack.
    • Fixed in Rails 4.2 LTS's version of Rack.
    • Fixed in Rails 5.2 LTS's version of Rack.
  • CVE-2023-28120

    • Rails 2.3 LTS is unaffected.
    • Fixed in Rails 3.2 LTS.
    • Fixed in Rails 4.2 LTS.
    • Fixed in Rails 5.2 LTS.
  • CVE-2023-28755

    • This is an issue in Ruby / the uri library.
    • Rails 2.3 LTS includes a monkey-patch.
    • Rails 3.2 LTS includes a monkey-patch.
    • Rails 4.2 LTS includes a monkey-patch.
    • Rails 5.2 LTS includes a monkey-patch.
  • CVE-2023-28756

    • This is an issue in Ruby / the time library.
    • Rails 2.3 LTS includes a monkey-patch.
    • Rails 3.2 LTS includes a monkey-patch.
    • Rails 4.2 LTS includes a monkey-patch.
    • Rails 5.2 LTS includes a monkey-patch.
  • CVE-2023-28362

    • This is a XSS issue in Rails' redirect_to method
    • Fixed in Rails 2.3 LTS.
    • Fixed in Rails 3.2 LTS.
    • Fixed in Rails 4.2 LTS.
    • Fixed in Rails 5.2 LTS.
  • CVE-2023-38037

    • This is an issue with ActiveSupport::EncryptedFile
    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
    • Fixed in Rails 5.2 LTS.
  • CVE-2024-25126

    • This is a ReDoS vulnerability in Rack.
    • Fixed in Rails 2.3 / 3.2 LTS's version of Rack.
    • Fixed in Rails 4.2 LTS's version of Rack.
    • Fixed in Rails 5.2 LTS's version of Rack.
  • CVE-2024-26141

    • This is a DoS vulnerability in Rack.
    • Fixed in Rails 2.3 / 3.2 LTS's version of Rack.
    • Fixed in Rails 4.2 LTS's version of Rack.
    • Fixed in Rails 5.2 LTS's version of Rack.
  • CVE-2024-26142

    • This is a ReDoS vulnerability in ActionDispatch.
    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
    • Rails 5.2 LTS is not affected.
  • CVE-2024-26143

    • This is an XSS vulnerabilty in ActionController.
    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
    • Rails 5.2 LTS is not affected.
  • CVE-2024-26144

    • This is a session information leak in ActiveStorage.
    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
    • Rails 5.2 LTS is not affected.
  • CVE-2024-26146

    • This is a ReDoS vulnerability in Rack.
    • Fixed in Rails 2.3 / 3.2 LTS's version of Rack.
    • Fixed in Rails 4.2 LTS's version of Rack.
    • Fixed in Rails 5.2 LTS's version of Rack.
Tobias Kraze
Last edit
Emanuel
License
Source code in this card is licensed under the MIT License.
Posted by Tobias Kraze to Rails LTS documentation (2020-02-24 11:17)