baburdick
commented
8 years ago Also wrong for 4.1.15 (fixed in 4.1.14.1).
Closed monfresh closed 8 years ago
baburdick
commented
8 years ago Also wrong for 4.1.15 (fixed in 4.1.14.1).
JMCQ87
commented
8 years ago I think this might also affect a number of other CVEs, for example CVE-2016-2098 or CVE-2015-7577:
(Ruby) actionpack : 4.2.6 Possible remote code execution vulnerability in Action Pack https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q Possible Object Leak and Denial of Service attack in Action Pack https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc Object leak vulnerability for wildcard controller routes in Action Pack https://groups.google.com/forum/#!topic/rubyonrails-security/dthJ5wL69JE Timing attack vulnerability in basic authentication in Action Controller. https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k (Ruby) actionview : 4.2.6 Possible Information Leak Vulnerability in Action View https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00 (Ruby) activemodel : 4.2.6 Possible Input Validation Circumvention in Active Model https://groups.google.com/forum/#!topic/rubyonrails-security/6jQVC1geukQ (Ruby) activerecord : 4.2.6 Nested attributes rejection proc bypass in Active Record https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g
Output from a tool, which probably also uses dawnscanner in the background, I think.
If I run dawn locally on the same project, I only get CVE-2016-0751 and CVE-2016-2098 though, so the cause of the problem for the other examples might be in the databases some other scanner uses.
edit: Just found that there is a separate issue for CVE-2016-2098 already...
MKgridSec
commented
8 years ago Hello, https://github.com/thesp0nge/dawnscanner/pull/205 Should resolve the false positives for CVE-2016-0751 and CVE-2016-7577
This CVE was fixed in 4.2.5.1. 4.2.6 is greater than 4.2.5.1, so it should not be vulnerable. Yet, dawnscanner is reporting a vulnerability.