CVE-2007-5379
General | |
|---|---|
| Score: | 5.0/10.0 |
| Severity: | Medium |
| Category: | Information Leak / Disclosure |
Impact Metrics | |
| Confidentiality: | Partial |
| Integrity: | None |
| Availability: | None |
Exploitability Metrics | |
| Access Vector: | Network |
| Access Complexity: | Low |
| Authentication: | None |
Relative vulnerabilities
CVE-2006-0024, CVE-2007-1218, CVE-2007-1659, CVE-2007-1660, CVE-2007-1661, CVE-2007-1662, CVE-2007-3227, CVE-2007-3798, CVE-2007-3876, CVE-2007-4131, CVE-2007-4138, CVE-2007-4351, CVE-2007-4572, CVE-2007-4708, CVE-2007-4709, CVE-2007-4710, CVE-2007-4766, CVE-2007-4767, CVE-2007-4768, CVE-2007-4965, CVE-2007-5116, CVE-2007-5380, CVE-2007-5398, CVE-2007-5476, CVE-2007-5770, CVE-2007-5847, CVE-2007-5848, CVE-2007-5849, CVE-2007-5850, CVE-2007-5851, CVE-2007-5853, CVE-2007-5854, CVE-2007-5855, CVE-2007-5856, CVE-2007-5857, CVE-2007-5858, CVE-2007-5859, CVE-2007-5860, CVE-2007-5861, CVE-2007-5863, CVE-2007-6077, CVE-2007-6165
Published on 20/10/07 - Updated on 31/10/12
Description
Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file.
Category: Information Leak / Disclosure
CWE-200 (Information Exposure)
An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.
Security Notices
 | CVE-2007-5379 |
 | 2007/VULN450, 2007/VULN522 |
Exploits
No exploits available for this CVE in our database.