CVE-2011-3187

Rails < 2.3.13 - Improper Input Validation

Title source: rule

Description

The to_s method in actionpack/lib/action_dispatch/middleware/remote_ip.rb in Ruby on Rails 3.0.5 does not validate the X-Forwarded-For header in requests from IP addresses on a Class C network, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Jimmy Bandit · rubyremotemultiple
https://www.exploit-db.com/exploits/35352

References (9)

Scores

EPSS 0.0905
EPSS Percentile 92.7%

Details

CWE
CWE-20
Status published
Products (2)
rubygems/actionpack 2.3.0 - 2.3.13RubyGems
rubyonrails/rails 3.0.5
Published Aug 29, 2011
Tracked Since Feb 18, 2026