Security update for rubygem-actionpack-3_2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:15116-1 Final 1 1 2022-12-08T13:02:42Z current 2022-12-08T13:02:42Z 2022-12-08T13:02:42Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for rubygem-actionpack-3_2 This update for rubygem-actionpack-3_2 fixes the following issues: - CVE-2021-22885: Fixed Possible Information Disclosure / Unintended Method Execution in Action Pack (bsc#1185715). - CVE-2016-2097: Fixed Possible Information Leak Vulnerability in Action View (bsc#968850). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). slewyst13-rubygem-actionpack-3_2-15116 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-202215116-1/ Link for SUSE-SU-2022:15116-1 https://lists.suse.com/pipermail/sle-security-updates/2022-December/013203.html E-Mail link for SUSE-SU-2022:15116-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1185715 SUSE Bug 1185715 https://bugzilla.suse.com/968850 SUSE Bug 968850 https://www.suse.com/security/cve/CVE-2016-2097/ SUSE CVE CVE-2016-2097 page https://www.suse.com/security/cve/CVE-2021-22885/ SUSE CVE CVE-2021-22885 page SUSE WebYast 1.3 rubygem-actionpack-3_2-3.2.12-0.27.3.1 rubygem-actionpack-3_2-3.2.12-0.27.3.1 as a component of SUSE WebYast 1.3 Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752. CVE-2016-2097 SUSE WebYast 1.3:rubygem-actionpack-3_2-3.2.12-0.27.3.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-202215116-1/ https://www.suse.com/security/cve/CVE-2016-2097.html CVE-2016-2097 https://bugzilla.suse.com/963332 SUSE Bug 963332 https://bugzilla.suse.com/968850 SUSE Bug 968850 A possible information disclosure / unintended method execution vulnerability in Action Pack >= 2.0.0 when using the `redirect_to` or `polymorphic_url`helper with untrusted user input. CVE-2021-22885 SUSE WebYast 1.3:rubygem-actionpack-3_2-3.2.12-0.27.3.1 important 5 AV:N/AC:L/Au:N/C:P/I:N/A:N 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-202215116-1/ https://www.suse.com/security/cve/CVE-2021-22885.html CVE-2021-22885 https://bugzilla.suse.com/1185715 SUSE Bug 1185715