id: CVE-2015-3224 info: name: Ruby on Rails Web Console - Remote Code Execution author: pdteam severity: medium description: Ruby on Rails Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request to request.rb. remediation: | Upgrade to a patched version of Ruby on Rails or disable the Web Console feature. reference: - https://www.metahackers.pro/rails-web-console-v2-whitelist-bypass-code-exec/ - https://www.jomar.fr/posts/2022/basic_recon_to_rce_ii/ - https://hackerone.com/reports/44513 - https://nvd.nist.gov/vuln/detail/CVE-2015-3224 - http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160881.html classification: cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N cvss-score: 4.3 cve-id: CVE-2015-3224 cwe-id: CWE-284 epss-score: 0.93656 epss-percentile: 0.98766 cpe: cpe:2.3:a:rubyonrails:web_console:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: rubyonrails product: web_console tags: ruby,hackerone,cve,cve2015,rce,rails,intrusive http: - method: GET path: - "{{BaseURL}}/{{randstr}}" headers: X-Forwarded-For: ::1 matchers-condition: and matchers: - type: word part: body words: - "Rails.root:" - "Action Controller: Exception caught" condition: and - type: word part: response words: - X-Web-Console-Session-Id - data-remote-path= - data-session-id= case-insensitive: true condition: or