CVE-2015-3224 Common Vulnerabilities and Exposures

Upstream information

CVE-2015-3224 at MITRE

Description

request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having moderate severity.

CVSS v2 Scores
	National Vulnerability Database
Base Score	4.3
Vector	AV:N/AC:M/Au:N/C:N/I:P/A:N
Access Vector	Network
Access Complexity	Medium
Authentication	None
Confidentiality Impact	None
Integrity Impact	Partial
Availability Impact	None

SUSE Bugzilla entry: 934796 [RESOLVED / FIXED]

No SUSE Security Announcements cross referenced.

List of released packages

Product(s)	Fixed package version(s)	References
openSUSE Tumbleweed	`ruby2.7-rubygem-web-console >= 4.1.0-1.5` `ruby3.0-rubygem-web-console >= 4.1.0-1.5` `ruby3.2-rubygem-web-console >= 4.2.0-1.9` `ruby3.3-rubygem-web-console >= 4.2.1-1.5`	Patchnames: openSUSE-Tumbleweed-2024-11356 openSUSE-Tumbleweed-2024-13172 openSUSE-Tumbleweed-2024-14179

SUSE Timeline for this CVE

CVE page created: Mon Jun 15 23:22:50 2015
CVE page last modified: Tue Sep 3 18:29:55 2024