{"$ref":"https://www.cert.ssi.gouv.fr/openapi.json","affected_systems":[{"description":"Ruby on Rails 3.0.x.","product":{"name":"Ruby on Rails","vendor":{"name":"Ruby on Rails","scada":false}}},{"description":"Ruby on Rails 2.3.x ;","product":{"name":"Ruby on Rails","vendor":{"name":"Ruby on Rails","scada":false}}}],"affected_systems_content":null,"content":"## Description\n\nDe multiples vuln\u00e9rabilit\u00e9s pr\u00e9sentes dans le produit Ruby on Rails ont\n\u00e9t\u00e9 corrig\u00e9es. Ces vuln\u00e9rabilit\u00e9s permettent notamment :\n\n-   le rendu de vues de donn\u00e9es normalement inaccessibles \u00e0\n    l'utilisateur ;\n-   l'injection de code dans les requ\u00eates SQL ;\n-   l'injection de code javascript dans les r\u00e9ponses HTML ;\n-   l'envoi de cha\u00eenes Unicode malform\u00e9es dans les r\u00e9ponses HTML.\n\n## Solution\n\nSe r\u00e9f\u00e9rer aux bulletins de s\u00e9curit\u00e9 de l'\u00e9diteur pour l'obtention des\ncorrectifs (cf. section Documentation).\n\nNote : une mise \u00e0 jour pour la version 3.1 RC est \u00e9galement disponible.\n","cves":[{"name":"CVE-2011-2930","url":"https://www.cve.org/CVERecord?id=CVE-2011-2930"},{"name":"CVE-2011-2932","url":"https://www.cve.org/CVERecord?id=CVE-2011-2932"},{"name":"CVE-2011-2929","url":"https://www.cve.org/CVERecord?id=CVE-2011-2929"},{"name":"CVE-2011-3186","url":"https://www.cve.org/CVERecord?id=CVE-2011-3186"},{"name":"CVE-2011-2931","url":"https://www.cve.org/CVERecord?id=CVE-2011-2931"}],"links":[{"title":"Bulletin de s\u00e9curit\u00e9 Debian DSA 2301-1 du 5 septembre 2011    :","url":"http://www.debian.org/security/2011/dsa-2301"},{"title":"Bulletin de s\u00e9curit\u00e9 Fedora FEDORA-2011-11567 du 7    septembre 2011 :","url":"http://lists.fedoraproject.org/pipemail/package-announce/2011-Septembre/065137.html"},{"title":"Annonce de publication Ruby on Rails 2.3.14 :","url":"http://weblog.rubyonrails.org/2011/8/16/ann-rails-2-3-14"},{"title":"Secunia Advisory SA45648 :","url":"http://secunia.com/advisories/45648/"},{"title":"Annonce de publication Ruby on Rails 3.0.10 :","url":"http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-0-10"}],"reference":"CERTA-2011-AVI-459","revisions":[{"description":"version initiale.","revision_date":"2011-08-18T00:00:00.000000"},{"description":"ajout des r\u00e9f\u00e9rences CVE.","revision_date":"2011-08-23T00:00:00.000000"},{"description":"ajout des r\u00e9f\u00e9rences aux bulletins Debian et Fedora.","revision_date":"2011-09-14T00:00:00.000000"},{"description":"ajout d'une r\u00e9f\u00e9rence CVE.","revision_date":"2011-09-16T00:00:00.000000"}],"risks":[{"description":"Atteinte \u00e0 l'int\u00e9grit\u00e9 des donn\u00e9es"},{"description":"Injection de code indirecte \u00e0 distance"},{"description":"Contournement de la politique de s\u00e9curit\u00e9"}],"summary":"De multiples vuln\u00e9rabilit\u00e9s pr\u00e9sentes dans le produit <span\nclass=\"textit\">Ruby on Rails</span> ont \u00e9t\u00e9 corrig\u00e9es. Elles permettent\nle contournement de la politique de s\u00e9curit\u00e9, l'injection de code SQL et\nl'injection de code HTML dans une r\u00e9ponse.\n","title":"Multiples vuln\u00e9rabilit\u00e9s dans Ruby on Rails","vendor_advisories":[{"published_at":null,"title":"Annonces de mises \u00e0 jour de s\u00e9curit\u00e9 de Ruby on Rails du 16 ao\u00fbt 2011","url":null}]}