CVE-2015-3224 Common Vulnerabilities and Exposures

Upstream information

CVE-2015-3224 at MITRE

Description

request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having moderate severity.

CVSS v2 Scores
	National Vulnerability Database
Base Score	4.3
Vector	AV:N/AC:M/Au:N/C:N/I:P/A:N
Access Vector	Network
Access Complexity	Medium
Authentication	None
Confidentiality Impact	None
Integrity Impact	Partial
Availability Impact	None

SUSE Bugzilla entry: 934796 [RESOLVED / FIXED]

SUSE Security Advisories:

openSUSE-SU-2025:15129-1, published Sun May 18 18:50:31 2025

List of released packages

Product(s)	Fixed package version(s)	References
openSUSE Tumbleweed	`ruby2.7-rubygem-web-console >= 4.1.0-1.5` `ruby3.0-rubygem-web-console >= 4.1.0-1.5` `ruby3.2-rubygem-web-console >= 4.2.0-1.9` `ruby3.3-rubygem-web-console >= 4.2.1-1.5` `ruby3.4-rubygem-web-console >= 4.2.1-1.7`	Patchnames: openSUSE-Tumbleweed-2024-11356 openSUSE-Tumbleweed-2024-13172 openSUSE-Tumbleweed-2024-14179 openSUSE-Tumbleweed-2025-15129

SUSE Timeline for this CVE

CVE page created: Mon Jun 15 23:22:50 2015
CVE page last modified: Sun May 18 19:20:00 2025