Vulnerabilities > Rubyonrails > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-02-09 | CVE-2023-22792 | Unspecified vulnerability in Rubyonrails Rails A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. | 7.5 |
| 2023-02-09 | CVE-2023-22795 | A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. | 7.5 |
| 2023-02-09 | CVE-2023-22799 | Unspecified vulnerability in Rubyonrails Globalid A ReDoS based DoS vulnerability in the GlobalID <1.0.1 which could allow an attacker supplying a carefully crafted input can cause the regular expression engine to take an unexpected amount of time. | 7.5 |
| 2022-12-14 | CVE-2022-23517 | rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. | 7.5 |
| 2021-06-11 | CVE-2021-22902 | Unspecified vulnerability in Rubyonrails Rails The actionpack ruby gem (a framework for handling and responding to web requests in Rails) before 6.0.3.7, 6.1.3.2 suffers from a possible denial of service vulnerability in the Mime type parser of Action Dispatch. | 7.5 |
| 2021-06-11 | CVE-2021-22904 | Unspecified vulnerability in Rubyonrails Rails The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive regular expression. | 7.5 |
| 2021-05-27 | CVE-2021-22885 | Information Exposure Through an Error Message vulnerability in multiple products A possible information disclosure / unintended method execution vulnerability in Action Pack >= 2.0.0 when using the `redirect_to` or `polymorphic_url`helper with untrusted user input. | 7.5 |
| 2021-02-11 | CVE-2021-22880 | Resource Exhaustion vulnerability in multiple products The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. | 7.5 |
| 2020-07-02 | CVE-2020-8163 | Code Injection vulnerability in multiple products The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE. | 8.8 |
| 2020-06-19 | CVE-2020-8164 | Deserialization of Untrusted Data vulnerability in multiple products A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters. | 7.5 |