Upstream information

CVE-2015-3224 at MITRE

Description

request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having moderate severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 4.3
Vector AV:N/AC:M/Au:N/C:N/I:P/A:N
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact None
Integrity Impact Partial
Availability Impact None
SUSE Bugzilla entry: 934796 [RESOLVED / FIXED]

No SUSE Security Announcements cross referenced.

List of released packages

Product(s) Fixed package version(s) References
openSUSE Tumbleweed
  • ruby2.7-rubygem-web-console >= 4.1.0-1.5
  • ruby3.0-rubygem-web-console >= 4.1.0-1.5
  • ruby3.2-rubygem-web-console >= 4.2.0-1.9
Patchnames:
openSUSE Tumbleweed GA ruby2.7-rubygem-web-console-4.1.0-1.5
openSUSE Tumbleweed GA ruby3.2-rubygem-web-console-4.2.0-1.9


SUSE Timeline for this CVE

CVE page created: Mon Jun 15 23:22:50 2015
CVE page last modified: Sun Aug 27 09:14:44 2023