OSVDB-95749: Remote code execution and potential Denial of Service Vulnerability

August 15, 2008

Activeresource contains a format string flaw in the request function of lib/active_resource/connection.rb. The issue is triggered as format string specifiers (e.g. %s and %x) are not properly sanitized in user-supplied input when passed via the result.code and result.message variables. This may allow a remote attacker to cause a denial of service or potentially execute arbitrary code.

References

github.com/rails/rails/commit/aad7cac6add2fa01cebbb36e9f546292d632c9ea
github.com/rubysec/ruby-advisory-db/blob/master/gems/activeresource/OSVDB-95749.yml

Code Behaviors & Features

Detect and mitigate OSVDB-95749 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →