There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11.
Carefully crafted requests can impact the data returned by the `scheme`
method on `Rack::Request`. Applications that expect the scheme to be
limited to 'http' or 'https' and do not escape the return value could be
vulnerable to an XSS attack. Note that applications using the normal
escaping mechanisms provided by Rails may not impacted, but applications
that bypass the escaping mechanisms, or do not use them may be vulnerable.
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):needs-triage
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Ubuntu 18.10 (Cosmic Cuttlefish):needs-triage
Ubuntu 19.04 (Disco Dingo):needs-triage
More Information

Updated: 2019-01-14 21:30:28 UTC (commit 51f9b73af244ba86b9321e46e526586c25a8e060)