5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.011 Low
EPSS
Percentile
84.1%
There is a possible directory traversal and information leak vulnerability in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2 patch was not covering all possible scenarios. This vulnerability has been assigned the CVE identifier CVE-2016-2097.
Versions Affected: 3.2.x, 4.0.x, 4.1.x
Not affected: 4.2+
Fixed Versions: 3.2.22.2, 4.1.14.2
Applications that pass unverified user input to the render
method in a controller may be vulnerable to an information leak vulnerability.
Impacted code will look something like this:
def index
render params[:id]
end
Carefully crafted requests can cause the above code to render files from unexpected places like outside the application’s view directory, and can possibly escalate this to a remote code execution attack.
All users running an affected release should either upgrade or use one of the workarounds immediately.
The FIXED releases are available at the normal locations.
A workaround to this issue is to not pass arbitrary user input to the render
method. Instead, verify that data before passing it to the render
method.
For example, change this:
def index
render params[:id]
end
To this:
def index
render verify_template(params[:id])
end
private
def verify_template(name)
# add verification logic particular to your application here
end
To aid users who aren’t able to upgrade immediately we have provided patches for it. It is in git-am format and consist of a single changeset.
Thanks to both Jyoti Singh and Tobias Kraze from makandra for reporting this and working with us in the patch!
CPE | Name | Operator | Version |
---|---|---|---|
actionpack | le | 4.1.14.1 | |
actionpack | le | 3.2.22.1 | |
actionview | le | 4.1.14.1 | |
actionview | le | 3.2.22.1 |
lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html
lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html
lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html
weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/
www.debian.org/security/2016/dsa-3509
github.com/advisories/GHSA-vx9j-46rh-fqr8
github.com/rails/rails/commit/8a1d3ea617ffb0c8ae8467fa439bf63a3bfc4324
github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-2097.yml
github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2016-2097.yml
groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4
nvd.nist.gov/vuln/detail/CVE-2016-2097
web.archive.org/web/20160322002234/www.securitytracker.com/id/1035122
web.archive.org/web/20200228015320/www.securityfocus.com/bid/83726
web.archive.org/web/20201221115217/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.011 Low
EPSS
Percentile
84.1%