The Wicked gem prior to v1.0.1 allows a remote attacker to traverse directories on the system via a vulnerability in controller/concerns/render_redirect.rb
. An attacker can send a specially-crafted URL request containing %2E%2E%2F
directory traversal sequences to read arbitrary files on the system.
seclists.org/oss-sec/2013/q4/43
exchange.xforce.ibmcloud.com/vulnerabilities/87783
github.com/advisories/GHSA-rprj-g6xc-p5gq
github.com/rubysec/ruby-advisory-db/blob/master/gems/wicked/CVE-2013-4413.yml
github.com/schneems/wicked
github.com/schneems/wicked/commit/fe31bb2533fffc9d098c69ebeb7afc3b80509f53
nvd.nist.gov/vuln/detail/CVE-2013-4413
web.archive.org/web/20210508170740/www.securityfocus.com/bid/62891