---
gem: activeresource
osvdb: 95749
url: http://osvdb.org/show/osvdb/95749
title: activeresource Gem for Ruby lib/active_resource/connection.rb request Function Multiple Variable Format String
date: 2008-08-15
description: |
  activeresource contains a format string flaw in the request function of
  lib/active_resource/connection.rb. The issue is triggered as format string
  specifiers (e.g. %s and %x) are not properly sanitized in user-supplied input
  when passed via the 'result.code' and 'result.message' variables. This may
  allow a remote attacker to cause a denial of service or potentially execute
  arbitrary code.
patched_versions:
  - ">= 2.2.0"