CVE-2007-5379

NameCVE-2007-5379
DescriptionRails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rails (PTS)wheezy2:2.3.14.2fixed
jessie (security), jessie2:4.1.8-1+deb8u4fixed
stretch2:4.2.7.1-1fixed
buster, sid2:4.2.9-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
railssource(unstable)1.2.5-1medium
railssourceetch(not affected)

Notes

[etch] - rails <not-affected> (Vulnerable code not present)

Search for package or bug name: Reporting problems