Bug 1129268 (CVE-2019-5420)

Summary: VUL-1: CVE-2019-5420: rubygem-rails-4_2,rubygem-rails-5_1,rubygem-rails-3_2: possible remote code executing in Rails
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Marcus Rückert <mrueckert>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P5 - None CC: dcooper, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/226096/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2019-03-14 15:21:20 UTC
CVE-2019-5420

There is a possible a possible remote code executing exploit in Rails when in
development mode. This vulnerability has been assigned the CVE identifier
CVE-2019-5420.

Versions Affected:  6.0.0.X, 5.2.X.
Not affected:       None.
Fixed Versions:     6.0.0.beta3, 5.2.2.1

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5420
http://seclists.org/oss-sec/2019/q1/176
Comment 1 Robert Frohl 2019-03-14 15:22:33 UTC
we only ship the older versions, which are not affected.
Comment 6 Robert Frohl 2022-09-28 11:41:05 UTC
re-evaluated based on [0]:

neither 4.2.x or 5.1.x are affected by this specific issue


[0] https://rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released