CVE-2007-5379

Loading...

General

Score:5.0/10.0
Severity:Medium
Category:Information Leak / Disclosure

Impact Metrics

Confidentiality:Partial
Integrity:None
Availability:None

Exploitability Metrics

Access Vector:Network
Access Complexity:Low
Authentication:None

Relative vulnerabilities

CVE-2006-0024, CVE-2007-1218, CVE-2007-1659, CVE-2007-1660, CVE-2007-1661, CVE-2007-1662, CVE-2007-3227, CVE-2007-3798, CVE-2007-3876, CVE-2007-4131, CVE-2007-4138, CVE-2007-4351, CVE-2007-4572, CVE-2007-4708, CVE-2007-4709, CVE-2007-4710, CVE-2007-4766, CVE-2007-4767, CVE-2007-4768, CVE-2007-4965, CVE-2007-5116, CVE-2007-5380, CVE-2007-5398, CVE-2007-5476, CVE-2007-5770, CVE-2007-5847, CVE-2007-5848, CVE-2007-5849, CVE-2007-5850, CVE-2007-5851, CVE-2007-5853, CVE-2007-5854, CVE-2007-5855, CVE-2007-5856, CVE-2007-5857, CVE-2007-5858, CVE-2007-5859, CVE-2007-5860, CVE-2007-5861, CVE-2007-5863, CVE-2007-6077, CVE-2007-6165

Published on 20/10/07 - Updated on 31/10/12

Description

Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file.

Category: Information Leak / Disclosure

CWE-200 (Information Exposure)
An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.

Security Notices

US National Vulnerability DatabaseCVE-2007-5379
Renater 2007/VULN450, 2007/VULN522

Exploits

No exploits available for this CVE in our database.

Relative technologies

VendorProduct
david_hanssonruby_on_rails

Share this vulnerability with:

Twitter Facebook LinkedIn Mail