CVE-2007-5379
Ruby on Rails < 1.2.4 - Unauthenticated Arbitrary File Existence Disclosure and XML File Read via Hash.from_xml
Title source: llmDescription
Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file.
References (13)
Core 13
Core References
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2007/4238
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2007/3508
US Government Resource third-party-advisory
x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA07-352A.html
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/28136
Patch vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/26096
Third Party Advisory vendor-advisory
x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-200711-17.xml
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/40717
Issue Tracking x_refsource_confirm
http://bugs.gentoo.org/show_bug.cgi?id=195315
Various Sources x_refsource_confirm
http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release
Mailing List vendor-advisory
x_refsource_apple
http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html
Vendor Advisory x_refsource_confirm
http://docs.info.apple.com/article.html?artnum=307179
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/27657
Various Sources x_refsource_confirm
http://dev.rubyonrails.org/ticket/8453
Scores
EPSS
0.1060
EPSS Percentile
93.4%
Details
CWE
CWE-200
Status
published
Products (2)
david_hansson/ruby_on_rails
< 1.2.3
rubygems/rails
0 - 1.2.4RubyGems
Published
Oct 19, 2007
Tracked Since
Feb 18, 2026