Class: Dawn::Kb::CVE_2014_2538

# File 'lib/dawn/kb/cve_2014_2538.rb', line 7

def initialize
      message = "rack-ssl Gem for Ruby contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the program does not validate input passed via error messages before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server."
       super({
        :name=>"CVE-2014-2538",
        :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
        :release_date => Date.new(2014, 3, 25),
        :cwe=>"79",
        :owasp=>"A3",
        :applies=>["rails"],
        :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
        :message=>message,
        :mitigation=>"A new version for rack-ssl version it has been released. Pleas upgrade at least to version 1.3.4 or higher.",
        :aux_links=>["http://seclists.org/oss-sec/2014/q1/594"]
       })

       self.safe_dependencies = [{:name=>"rack-ssl", :version=>['1.3.4']}]
end

Class: Dawn::Kb::CVE_2014_2538

Overview

Constant Summary

Constants included from BasicCheck

Instance Attribute Summary

Attributes included from DependencyCheck

Attributes included from BasicCheck

Instance Method Summary collapse

Methods included from DependencyCheck

Methods included from BasicCheck

Methods included from Utils

Constructor Details

#initialize ⇒ CVE_2014_2538

#initialize ⇒ `CVE_2014_2538`