List of CVEs addressed by Rails LTS

This is a list of known CVEs relevant for Rails LTS 2.3+. All CVEs are fixed in all versions of Rails LTS (or may not affect some versions). If a versions of Rails LTS is not mentioned, the fix was already done in an official release Ruby on Rails release, and is therefore also part of Rails LTS.

• XSS vulnerability in the translate helper method in Ruby on Rails

  • Fixed in 2.3 LTS.

• Possible XSS Security Vulnerability in SafeBuffer#[]

  • Rails 2.3 with up to date versions of the rails_xss plugin is not affected.

• CVE-2012-1099

  • Fixed in 2.3 LTS.

• CVE-2012-2660

  • Rails 2.3 is not affected.

• CVE-2012-2661

  • Rails 2.3 is not affected.

• CVE-2012-2694

  • Rails 2.3 is not affected.

• CVE-2012-2695

  • Fixed in 2.3 LTS.

• CVE-2012-3424

  • Rails 2.3 is not affected.

• CVE-2012-3463

  • Rails 2.3 is not affected.

• CVE-2012-3464

  • Fixed in 2.3 LTS.

• CVE-2012-3465

  • Fixed in 2.3 LTS.

• CVE-2012-5664 (a.k.a. CVE-2012-6496)

  • Fixed in 2.3 LTS.

• CVE-2013-0155

  • Fixed in 2.3 LTS.

• CVE-2013-0156

  • Fixed in 2.3 LTS.

• CVE-2013-0276

  • Fixed in 2.3 LTS.

• CVE-2013-0277

  • Fixed in 2.3 LTS.

• CVE-2013-1855

  • Fixed in 2.3 LTS.

• CVE-2013-1856

  • This is not fixed in 2.3 LTS, since Rails LTS does not support jRuby.

• CVE-2013-1857

  • Fixed in 2.3 LTS.

• CVE-2013-1854

  • Fixed in 2.3 LTS.

• CVE-2013-3221

  • Partially mitigated in 2.3 LTS.
  • Partially mitigated in 3.2 LTS.
  • See here Show archive.org snapshot for more details.

• CVE-2013-4491

  • Rails 2.3 is not affected.

• CVE-2013-6414

  • Rails 2.3 is not affected.

• CVE-2013-6415

  • Fixed in 2.3 LTS.

• CVE-2013-6417

  • Fixed in 2.3 LTS.

• CVE-2013-6416

  • Rails 2.3 is not affected.

• CVE-2014-0080

  • Rails 2.3 is not affected.

• CVE-2014-0081

  • Fixed in 2.3 LTS.

• CVE-2014-0082

  • Rails 2.3 is not affected.

• CVE-2014-0130

  • Fixed in 2.3 LTS.

• CVE-2014-3482

  • Fixed in 2.3 LTS.

• CVE-2014-3483

  • Rails 2.3 is not affected.

• CVE-2014-3514

  • Rails 2.3 is not affected.

• CVE-2014-7818

  • Fixed in 2.3 LTS.

• CVE-2014-7829

  • Rails 2.3 is not affected.

• CVE-2015-1840

  • Rails 2.3 is not affected.

• CVE-2015-3224

  • Rails 2.3 is not affected.
    use ActionDispatch::Executor

• CVE-2015-3226

  • Rails 2.3 is not affected.

• CVE-2015-3227

  • Fixed in 2.3 LTS.

• Start of support for Rails 3.2 LTS. Earlier CVEs are all addressed.

• CVE-2015-7576

  • Rails 2.3 is not affected.
  • Fixed in 3.2 LTS.

• CVE-2015-7577

  • Rails 2.3 is not affected.
  • Fixed in 3.2 LTS.

• CVE-2015-7578

  • Rails 2.3 is not affected.
  • Rails 3.2 is not affected.

• CVE-2015-7579

  • Rails 2.3 is not affected.
  • Rails 3.2 is not affected.

• CVE-2015-7580

  • Rails 2.3 is not affected.
  • Rails 3.2 is not affected.

• CVE-2015-7581

  • Rails 2.3 is not affected.
  • Fixed in 3.2 LTS.

• CVE-2016-0751

  • Fixed in 2.3 LTS.
  • Fixed in 3.2 LTS.

• CVE-2016-0752

  • Rails 2.3 is not affected.
  • Fixed in 3.2 LTS.

• CVE-2016-0753

  • Fixed in 2.3 LTS.
  • Fixed in 3.2 LTS.

• CVE-2016-2097

  • Fixed in 2.3 LTS.
  • Fixed in 3.2 LTS.

• CVE-2016-2098

  • Fixed in 2.3 LTS.
  • Fixed in 3.2 LTS.

• CVE-2016-6316

  • Rails 2.3 is not affected. A variant of this is fixed in 2.3 LTS.
  • Fixed in 3.2 LTS.

• CVE-2016-6317

  • Rails 2.3 is not affected.
  • Rails 3.2 is not affected.

• CVE-2018-8048

  • Rails 2.3 is not affected.
  • Rails 3.2 is not affected.

• CVE-2018-3760

  • Rails 2.3 is not affected.
  • Rails 3.2 is not affected.

• CVE-2018-16468

  • Rails 2.3 is not affected.
  • Rails 3.2 is not affected.

• CVE-2018-16471

  • Fixed in Rails 2.3 / 3.2 LTS's version of Rack.

• Start of support for Rails 4.2 LTS. Earlier CVEs are all addressed.

• CVE-2018-16476

  • Rails 2.3 is not affected.
  • Rails 3.2 is not affected.
  • Fixed in 4.2 LTS.

• CVE-2018-16477

  • Rails 2.3 is not affected.
  • Rails 3.2 is not affected.
  • Rails 4.2 is not affected.

• CVE-2019-5418

  • Fixed in 2.3 LTS.
  • Fixed in 3.2 LTS.
  • Fixed in 4.2 LTS.

• CVE-2019-5419

  • Fixed in 2.3 LTS.
  • Fixed in 3.2 LTS.
  • Fixed in 4.2 LTS.

• CVE-2019-5420

  • Rails 2.3 is not affected.
  • Rails 3.2 is not affected.
  • Rails 4.2 is not affected.

• CVE-2019-16782 / CVE-2019-25025

  • Fixed in Rails 2.3 LTS.
  • Fixed in Rails 3.2 LTS.
  • Vulnerability is not part of Rails 4.2 LTS. We have released a fork of activerecord-session_store Show archive.org snapshot with a fix.

• CVE-2020-5267

  • Fixed in Rails 2.3 LTS.
  • Fixed in Rails 3.2 LTS.
  • Fixed in Rails 4.2 LTS.

• CVE-2020-10663

  • Vulnerability is not part of Rails LTS. We advise users to upgrade to json 2.3.0 or later.
  • For users who are unable to upgrade we have released a workaround Show archive.org snapshot that will patch your json gem against this vulnerability.

• CVE-2020-8130

  • Vulnerability is not part of Rails LTS, but we released a fix to Rails 2.3 LTS to allow users to upgrade their rake version to >= 12.3.3. Users on Ruby 1.8.7 can use our fork of rake 10.5 Show archive.org snapshot . see details Show archive.org snapshot

• CVE-2020-8151

  • Fixed in Rails 2.3 LTS.
  • Fixed in Rails 3.2 LTS.
  • Vulnerability is not part of Rails 4.2 LTS. We have forked activeresource Show archive.org snapshot with a fix.

• CVE-2020-8159

  • Fixed in Rails 2.3 LTS.
  • Fixed in Rails 3.2 LTS.
  • Vulnerability is not part of Rails 4.2 LTS. We have forked actionpack-page_caching Show archive.org snapshot with a fix.

• CVE-2020-8161

  • Fixed in the Rails 2.3 / 3.2 LTS's version of Rack.
  • Fixed in the Rails 4.2 LTS's version of Rack.

• CVE-2020-8162

  • Rails 2.3 LTS is not affected.
  • Rails 3.2 LTS is not affected.
  • Rails 4.2 LTS is not affected.

• CVE-2020-8163

  • Fixed in Rails 2.3 LTS.
  • Fixed in Rails 3.2 LTS.
  • Fixed in Rails 4.2 LTS.

• CVE-2020-8164

  • Rails 2.3 LTS is not affected.
  • Rails 3.2 LTS is not affected.
  • Rails 4.2 LTS is not affected.

• CVE-2020-8165

  • Addressed in Rails 2.3 LTS. Potential code changes required Show archive.org snapshot
  • Addressed in Rails 3.2 LTS. Potential code changes required Show archive.org snapshot
  • Fixed in Rails 4.2 LTS.

• CVE-2020-8166

  • Rails 2.3 LTS is not affected.
  • Rails 3.2 LTS is not affected.
  • Rails 4.2 LTS is not affected.

• CVE-2020-8167

  • Rails 2.3 LTS is not affected.
  • Rails 3.2 LTS is not affected.
  • Rails 4.2 LTS is not affected.

• CVE-2020-8184

  • Fixed in the Rails 2.3 / 3.2 LTS's version of Rack.
  • Fixed in the Rails 4.2 LTS's version of Rack.

• CVE-2020-15169

  • Fixed in Rails 2.3 LTS.
  • Fixed in Rails 3.2 LTS.
  • Fixed in Rails 4.2 LTS.

• CVE-2021-22880

  • Rails 2.3 LTS is not affected.
  • Rails 3.2 LTS is not affected.
  • Fixed in Rails 4.2 LTS.

• CVE-2021-22881

  • Rails 2.3 LTS is not affected.
  • Rails 3.2 LTS is not affected.
  • Rails 4.2 LTS is not affected.

• CVE-2021-22885

  • Fixed in Rails 2.3 LTS.
  • Fixed in Rails 3.2 LTS.
  • Fixed in Rails 4.2 LTS.
  • Contains a potentially breaking change

• CVE-2021-22902

  • Rails 2.3 LTS is not affected.
  • Rails 3.2 LTS is not affected.
  • Rails 4.2 LTS is not affected.

• CVE-2021-22903

  • Rails 2.3 LTS is not affected.
  • Rails 3.2 LTS is not affected.
  • Rails 4.2 LTS is not affected.

• CVE-2021-22904

  • Rails 2.3 LTS is not affected.
  • Rails 3.2 LTS is not affected.
  • Fixed in Rails 4.2 LTS.

• Start of support for Rails 5.2 LTS. Earlier CVEs are all addressed.

• CVE-2022-3704

  • Rails 2.3 LTS is not affected.
  • Rails 3.2 LTS is not affected.
  • Rails 4.2 LTS is not affected.
  • Fixed in Rails 5.2 LTS.

• CVE-2022-23633

  • Rails 2.3 LTS is not affected.
  • Rails 3.2 LTS is not affected.
  • Rails 4.2 LTS is not affected.
  • Fixed in Rails 5.2 LTS.

• CVE-2022-21831

  • Rails 2.3 LTS is not affected.
  • Rails 3.2 LTS is not affected.
  • Rails 4.2 LTS is not affected.
  • Fixed in Rails 5.2 LTS.

• CVE-2022-22577

  • Fixed in Rails 2.3 LTS.
  • Fixed in Rails 3.2 LTS.
  • Fixed in Rails 4.2 LTS.
  • Fixed in Rails 5.2 LTS.

• CVE-2022-27777

  • Rails 2.3 LTS is not affected.
  • Rails 3.2 LTS is not affected.
  • Rails 4.2 LTS is not affected.
  • Fixed in Rails 5.2 LTS.

• CVE-2022-30122

  • Fixed in the Rails 2.3 / 3.2 LTS's version of Rack.
  • Fixed in the Rails 4.2 LTS's version of Rack.
  • The Rails 5.2 LTS's version of Rack is not affected.

• CVE-2022-30123

  • Fixed in Rails 2.3 / 3.2 LTS's version of Rack.
  • Fixed in Rails 4.2 LTS's version of Rack.
  • The Rails 5.2 LTS's version of Rack is not affected.

• CVE-2022-31163

  • Vulnerability is part of tzinfo gem.
  • Updated required gem version in Rails 2.3 LTS.
  • Updated required gem version in Rails 3.2 LTS.
  • Updated required gem version in Rails 4.2 LTS.
  • Updated required gem version in Rails 5.2 LTS.

• CVE-2022-32224

  • Note that this is not a vulnerability in itself, but allows attackers to escalate hypothetical other vulnerabilities ( see details Show archive.org snapshot
  • Fixed in Rails 2.3 LTS for Psych >= 2.0 (which requires Ruby >= 1.9)
  • Fixed in Rails 3.2 LTS for Psych >= 2.0 (which requires Ruby >= 1.9)
  • Fixed in Rails 4.2 LTS.
  • Fixed in Rails 5.2 LTS.

• CVE-2022-22795

  • Rails 2.3 LTS is not affected.
  • Rails 3.2 LTS is not affected.
  • Fixed in Rails 4.2 LTS.
  • Fixed in Rails 5.2 LTS.

• CVE-2022-44566

  • Fixed in Rails 2.3 LTS.
  • Fixed in Rails 3.2 LTS.
  • Fixed in Rails 4.2 LTS.
  • Fixed in Rails 5.2 LTS.

• CVE-2022-44570

  • Fixed in Rails 2.3 / 3.2 LTS's version of Rack.
  • Fixed in Rails 4.2 LTS's version of Rack.
  • Fixed in Rails 5.2 LTS's version of Rack.

• CVE-2022-44571

  • Fixed in Rails 2.3 / 3.2 LTS's version of Rack.
  • Fixed in Rails 4.2 LTS's version of Rack.
  • Fixed in Rails 5.2 LTS's version of Rack.

• CVE-2022-44572

  • Does not affect Rails 2.3 / 3.2 LTS's version of Rack.
  • Does not affect Rails 4.2 LTS's version of Rack.
  • Fixed in Rails 5.2 LTS's version of Rack.

• CVE-2023-22792

  • Rails 2.3 LTS is not affected.
  • Fixed in Rails 3.2 LTS.
  • Fixed in Rails 4.2 LTS.
  • Fixed in Rails 5.2 LTS.

• CVE-2023-22794

  • Rails 2.3 LTS is not affected.
  • Rails 3.2 LTS is not affected.
  • Rails 4.2 LTS is not affected.
  • Rails 5.2 LTS is not affected.

• CVE-2023-22795

  • Rails 2.3 LTS is not affected.
  • Rails 3.2 LTS is not affected.
  • Fixed in Rails 4.2 LTS.
  • Fixed in Rails 5.2 LTS.

• CVE-2023-22796

  • Fixed in Rails 2.3 LTS.
  • Fixed in Rails 3.2 LTS.
  • Fixed in Rails 4.2 LTS.
  • Fixed in Rails 5.2 LTS.

• CVE-2023-22797

  • Rails 2.3 LTS is not affected.
  • Rails 3.2 LTS is not affected.
  • Rails 4.2 LTS is not affected.
  • Rails 5.2 LTS is not affected.

• CVE-2023-22799

  • This affects the globalid gem. Fixed in globalid 1.0.1. Addtionally:
  • Does not affect Rails 2.3 LTS apps.
  • Does not affect Rails 3.2 LTS apps.
  • Rails 4.2 LTS includes a monkey-patch fixing this vulnerability.
  • Rails 5.2 LTS includes a monkey-patch fixing this vulnerability.

• CVE-2023-23913

  • This affects the jquery-ujs / prototype-ujs / rails-ujs gems / npm packages which are not part of Rails LTS itself. We will try to provide a fix in the future.
  • Rails 2.3 LTS is not affected.
  • Unfixed for Rails 3.2 LTS when using the jquery-rails gem or jquery_ujs npm package.
  • Unfixed for Rails 4.2 LTS when using the jquery-rails gem or jquery_ujs npm package.
  • Fixed for Rails 5.2 LTS when using the bundled rails_ujs using the asset pipeline.
  • Unfixed for Rails 5.2 LTS when using the rails-ujs npm package.

• CVE-2023-27530

  • Fixed in Rails 2.3 / 3.2 LTS's version of Rack.
  • Fixed in Rails 4.2 LTS's version of Rack.
  • Fixed in Rails 5.2 LTS's version of Rack.

• CVE-2023-27539

  • Fixed in Rails 2.3 / 3.2 LTS's version of Rack.
  • Fixed in Rails 4.2 LTS's version of Rack.
  • Fixed in Rails 5.2 LTS's version of Rack.

• CVE-2023-28120

  • Rails 2.3 LTS is unaffected.
  • Fixed in Rails 3.2 LTS.
  • Fixed in Rails 4.2 LTS.
  • Fixed in Rails 5.2 LTS.

• CVE-2023-28755

  • This is an issue in Ruby / the uri library.
  • Rails 2.3 LTS includes a monkey-patch.
  • Rails 3.2 LTS includes a monkey-patch.
  • Rails 4.2 LTS includes a monkey-patch.
  • Rails 5.2 LTS includes a monkey-patch.

• CVE-2023-28756

  • This is an issue in Ruby / the time library.
  • Rails 2.3 LTS includes a monkey-patch.
  • Rails 3.2 LTS includes a monkey-patch.
  • Rails 4.2 LTS includes a monkey-patch.
  • Rails 5.2 LTS includes a monkey-patch.