CVE-2018-16471

2018-11-1300:00:00

ubuntu.com

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.008 Low

EPSS

Percentile

81.7%

JSON

There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11.
Carefully crafted requests can impact the data returned by the scheme
method on Rack::Request. Applications that expect the scheme to be
limited to ‘http’ or ‘https’ and do not escape the return value could be
vulnerable to an XSS attack. Note that applications using the normal
escaping mechanisms provided by Rails may not impacted, but applications
that bypass the escaping mechanisms, or do not use them may be vulnerable.

Bugs

<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913005>

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchruby-rack< 1.6.4-4ubuntu0.1UNKNOWN
ubuntu14.04noarchruby-rack< 1.5.2-3+deb8u3UNKNOWN
ubuntu16.04noarchruby-rack< 1.6.4-3ubuntu0.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	ruby-rack	< 1.6.4-4ubuntu0.1	UNKNOWN
ubuntu	14.04	noarch	ruby-rack	< 1.5.2-3+deb8u3	UNKNOWN
ubuntu	16.04	noarch	ruby-rack	< 1.6.4-3ubuntu0.1	UNKNOWN