HIGH 7.5 RubyGems KEV
Directory traversal vulnerability in Action View in Ruby on Rails
GHSA-xrr4-p6fq-hjg7 · CVE-2016-0752
Published · Modified
Description
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname.
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2016-0752
- ADVISORY https://github.com/advisories/GHSA-xrr4-p6fq-hjg7
- WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-0752.yml
- WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2016-0752.yml
- WEB https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00
- WEB https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ
- WEB https://web.archive.org/web/20210618005620/https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ
- WEB https://web.archive.org/web/20210621170450/http://www.securityfocus.com/bid/81801
- WEB https://web.archive.org/web/20210723192420/http://www.securitytracker.com/id/1034816
- WEB https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-0752
- WEB https://www.exploit-db.com/exploits/40561
- WEB http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178044.html
- WEB http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178069.html
- WEB http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
- WEB http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html
- WEB http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
- WEB http://rhn.redhat.com/errata/RHSA-2016-0296.html
- WEB http://www.debian.org/security/2016/dsa-3464
- WEB http://www.openwall.com/lists/oss-security/2016/01/25/13
- WEB http://www.securityfocus.com/bid/81801
- WEB http://www.securitytracker.com/id/1034816
Ready to move
Start Securing
Free, no credit card | First findings in minutes