Plattform
ruby
Komponente
actionpack
Behoben in
3.0.4
CVE-2011-0449 describes an access restriction bypass vulnerability within Ruby on Rails. This flaw stems from improper handling of filters associated with templates on case-insensitive filesystems, enabling remote attackers to circumvent intended access controls. The vulnerability impacts Ruby on Rails versions 3.0.x prior to 3.0.4, and a fix is available in version 3.0.4.
An attacker can exploit this vulnerability by crafting a malicious action name that leverages the case-insensitive nature of the filesystem. This allows them to access templates that they should not be authorized to view, potentially leading to unauthorized access to sensitive information or functionality within the Rails application. The impact is particularly severe in environments where template access controls are relied upon to restrict access to specific parts of the application. This bypass effectively circumvents the intended security measures, granting attackers broader access than anticipated.
This CVE was published in 2017, though the vulnerability itself dates back to 2011. There is no indication of active exploitation campaigns targeting this specific vulnerability. Public proof-of-concept exploits are not widely available, suggesting a relatively low exploitation probability. It is not listed on the CISA KEV catalog.
Applications still running older, unpatched versions of Ruby on Rails (3.0.x before 3.0.4) are at significant risk. Shared hosting environments that utilize Ruby on Rails and have not been updated are particularly vulnerable, as they may be running legacy configurations.
• ruby / server:
find /path/to/rails/app -name '*.rb' -print0 | xargs -0 grep -i 'actionpack/lib/action_view/template/resolver.rb'• ruby / server:
journalctl -u puma -g "actionpack/lib/action_view/template/resolver.rb"• generic web: Check application logs for unusual access patterns or errors related to template resolution.
discovery
disclosure
Exploit-Status
EPSS
0.56% (68% Perzentil)
The primary mitigation for CVE-2011-0449 is to upgrade to Ruby on Rails version 3.0.4 or later. If upgrading is not immediately feasible, consider implementing a workaround by ensuring that all template paths are consistently cased across the application. This can help prevent the case-insensitive filesystem from being exploited. Additionally, review and strengthen access control mechanisms within the application to minimize the potential impact of unauthorized template access. After upgrade, verify template resolution by attempting to access various templates with different case variations to confirm the fix.
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2011-0449 is a vulnerability in Ruby on Rails versions 3.0.x before 3.0.4 that allows attackers to bypass access restrictions on case-insensitive filesystems by manipulating action names.
You are affected if you are running Ruby on Rails versions 3.0.x prior to 3.0.4. Check your application's version to determine if you are vulnerable.
Upgrade to Ruby on Rails version 3.0.4 or later to resolve this vulnerability. Ensure consistent casing of action names as a temporary workaround.
There is no current evidence of active exploitation campaigns targeting CVE-2011-0449, but it remains a risk for unpatched systems.
Refer to the Ruby on Rails security advisories for details: https://github.com/rails/rails/security/advisories
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Gemfile.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.