title: Possible remote code execution vulnerability in Action Pack
description: "There is a possible remote code execution vulnerability in Action Pack.\nThis
vulnerability has been assigned the CVE identifier CVE-2016-2098.\n\nVersions Affected:
\ 3.2.x, 4.0.x, 4.1.x, 4.2.x\nNot affected: 5.0+\nFixed Versions: 126.96.36.199,
188.8.131.52, 184.108.40.206\n\nImpact \n------ \nApplications that pass unverified user input
to the `render` method in a\ncontroller or a view may be vulnerable to a code injection.\n\nImpacted
code will look like this:\n\n```ruby\nclass TestController < ApplicationController\n
\ def show\n render params[:id]\n end\nend\n```\n\nAn attacker could use the
request parameters to coerce the above example\nto execute arbitrary ruby code.\n\nAll
users running an affected release should either upgrade or use one of \nthe workarounds
immediately.\n\nReleases \n-------- \nThe FIXED releases are available at the normal
locations.\n\nWorkarounds \n----------- \nA workaround to this issue is to not pass
arbitrary user input to the `render`\nmethod. Instead, verify that data before passing
it to the `render` method.\n\nFor example, change this:\n\n```ruby\ndef index\n
\ render params[:id]\nend\n```\n\nTo this:\n\n```ruby\ndef index\n render verify_template(params[:id])\nend\n\nprivate\ndef
verify_template(name)\n # add verification logic particular to your application
here\nend\n```\n\nPatches \n------- \nTo aid users who aren't able to upgrade immediately
we have provided a \npatch for it. It is in git-am format and consist of a single
changeset.\n\n* 3-2-secure_inline_with_params.patch - Patch for 3.2 series\n* 4-1-secure_inline_with_params.patch
- Patch for 4.1 series\n* 4-2-secure_inline_with_params.patch - Patch for 4.2 series\n\nCredits
\n------- \nThanks to both Tobias Kraze from makandra and joernchen of Phenoelit
for \nreporting this!\n"
- ">= 5.0.0.beta1"
- "~> 220.127.116.11"
- "~> 4.2.5, >= 18.104.22.168"
- "~> 4.1.14, >= 22.214.171.124"