id: CVE-2015-3224 info: name: Ruby on Rails Web Console - Remote Code Execution author: pdteam severity: medium description: Ruby on Rails Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request to request.rb. impact: | Remote code execution can lead to unauthorized access, data breaches, and complete compromise of the affected system. remediation: | Upgrade to a patched version of Ruby on Rails or disable the Web Console feature. reference: - https://www.metahackers.pro/rails-web-console-v2-whitelist-bypass-code-exec/ - https://www.jomar.fr/posts/2022/basic_recon_to_rce_ii/ - https://hackerone.com/reports/44513 - https://nvd.nist.gov/vuln/detail/CVE-2015-3224 - http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160881.html classification: cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N cvss-score: 4.3 cve-id: CVE-2015-3224 cwe-id: CWE-284 epss-score: 0.92904 epss-percentile: 0.99025 cpe: cpe:2.3:a:rubyonrails:web_console:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: rubyonrails product: web_console tags: cve2015,cve,ruby,hackerone,rce,rails,intrusive,rubyonrails http: - method: GET path: - "{{BaseURL}}/{{randstr}}" headers: X-Forwarded-For: ::1 matchers-condition: and matchers: - type: word part: body words: - "Rails.root:" - "Action Controller: Exception caught" condition: and - type: word part: response words: - X-Web-Console-Session-Id - data-remote-path= - data-session-id= case-insensitive: true condition: or # digest: 490a00463044022020354b064be7c3002811f57d9842df15bde98e6b50ddf1dd51805c572f6e204602200d5345769babb2b707fd686e022f805cacbf8216fabc09786c56c79672c5f14e:922c64590222798bb761d5b6d8e72950