vulnerability
Ubuntu: (CVE-2017-1002201): ruby-haml vulnerability
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:M/Au:N/C:N/I:P/A:N) | Oct 15, 2019 | Nov 19, 2024 | Apr 16, 2026 |
Severity
4
CVSS
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
Published
Oct 15, 2019
Added
Nov 19, 2024
Modified
Apr 16, 2026
Description
In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code.
Solution
ubuntu-pro-upgrade-ruby-haml
References
- CVE-2017-100220
- https://attackerkb.com/topics/CVE-2017-100220
- CWE-79
- EUVD-EUVD-2019-0713
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2019-0713
- https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2
- https://snyk.io/vuln/SNYK-RUBY-HAML-20362
- https://www.cve.org/CVERecord?id=CVE-2017-1002201
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.