CVE-2007-5379

CVSS 5.0 - MEDIUM
Description

Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file.

Affected Products
1
Vendor Product Version
david_hansson ruby_on_rails All versions
References
http://bugs.gentoo.org/show_bug.cgi?id=195315
http://dev.rubyonrails.org/ticket/8453
http://docs.info.apple.com/article.html?artnum=307...
http://lists.apple.com/archives/security-announce/...
http://osvdb.org/40717
http://secunia.com/advisories/27657
http://secunia.com/advisories/28136
http://security.gentoo.org/glsa/glsa-200711-17.xml
http://weblog.rubyonrails.org/2007/10/5/rails-1-2-...
http://www.securityfocus.com/bid/26096
http://www.us-cert.gov/cas/techalerts/TA07-352A.ht...
http://www.vupen.com/english/advisories/2007/3508
http://www.vupen.com/english/advisories/2007/4238
http://bugs.gentoo.org/show_bug.cgi?id=195315
http://dev.rubyonrails.org/ticket/8453
http://docs.info.apple.com/article.html?artnum=307...
http://lists.apple.com/archives/security-announce/...
http://osvdb.org/40717
http://secunia.com/advisories/27657
http://secunia.com/advisories/28136
Weakness Types
CWE-200
CVE Information
CVE ID:
CVE-2007-5379
Published:
2007-10-19
Modified:
2026-04-23
CVSS Score:
5.0
Severity:
MEDIUM
Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N
Affected Vendors
david_hansson
Quick Actions
View on NVD Find Similar CVEs
CVSS Severity Scale
0.0 - 3.9 LOW
4.0 - 6.9 MEDIUM
7.0 - 8.9 HIGH
9.0 - 10.0 CRITICAL