Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an applicationβs unrestricted use of the render method and providing a β¦ (dot dot) in a pathname.
lists.fedoraproject.org/pipermail/package-announce/2016-February/178044.html
lists.fedoraproject.org/pipermail/package-announce/2016-February/178069.html
lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
lists.opensuse.org/opensuse-updates/2016-02/msg00034.html
lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
rhn.redhat.com/errata/RHSA-2016-0296.html
www.debian.org/security/2016/dsa-3464
www.openwall.com/lists/oss-security/2016/01/25/13
www.securityfocus.com/bid/81801
www.securitytracker.com/id/1034816
groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ
www.exploit-db.com/exploits/40561/