Platform
ruby
Component
actionpack
Fixed in
3.0.4
CVE-2011-0449 describes an access restriction bypass vulnerability within Ruby on Rails. This flaw stems from improper handling of filters associated with templates on case-insensitive filesystems, enabling remote attackers to circumvent intended access controls. The vulnerability impacts Ruby on Rails versions 3.0.x prior to 3.0.4, and a fix is available in version 3.0.4.
An attacker can exploit this vulnerability by crafting an action name that utilizes a different case for alphabetic characters than what is expected by the application. Because the filesystem is case-insensitive, the application may resolve the action name to a different template or controller than intended, effectively bypassing access restrictions. This could allow an attacker to access restricted areas of the application, potentially leading to unauthorized data disclosure or modification. The impact is amplified in environments where sensitive data is stored or processed within the affected Rails application.
CVE-2011-0449 was publicly disclosed in 2017. There is no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept exploits are readily available. It was not added to the CISA KEV catalog. The vulnerability's age and the availability of a patch suggest a low probability of exploitation in modern, well-maintained systems.
Exploit Status
EPSS
0.56% (68% percentile)
The primary mitigation for CVE-2011-0449 is to upgrade to Ruby on Rails version 3.0.4 or later. If upgrading is not immediately feasible, consider implementing a workaround by ensuring that all action names are consistently cased within the application. While not a complete solution, this can reduce the attack surface. Review and harden file system permissions to limit access to sensitive files and directories. After upgrading, confirm the fix by attempting to access restricted resources using different case variations in the action name; access should be denied.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2011-0449 is a vulnerability in Ruby on Rails versions 3.0.x before 3.0.4 that allows attackers to bypass access restrictions on case-insensitive filesystems by manipulating action names.
You are affected if you are running Ruby on Rails versions 3.0.x prior to 3.0.4. Check your application's version to determine if you are vulnerable.
Upgrade to Ruby on Rails version 3.0.4 or later to resolve this vulnerability. Ensure consistent casing of action names as a temporary workaround.
There is no current evidence of active exploitation campaigns targeting CVE-2011-0449, but it remains a risk for unpatched systems.
Refer to the Ruby on Rails security advisories for details: https://github.com/rails/rails/security/advisories
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.