CVSS v3.x: 8.8 (High)
- >= 126.96.36.199
There was a vulnerability in versions of Rails prior to 5.0.1 that would
allow an attacker who controlled the
locals argument of a
Versions Affected: rails < 5.0.1 Not affected: Applications that do not allow users to control the names of locals. Fixed Versions: 188.8.131.52
In the scenario where an attacker might be able to control the name of a
local passed into
render, they can acheive remote code execution.
Until such time as the patch can be applied, application developers should ensure that all user-provided local names are alphanumeric.