Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an applicationβs unrestricted use of the render method and providing a ..
(dot dot) in a pathname.
lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
lists.opensuse.org/opensuse-updates/2016-02/msg00034.html
lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
rhn.redhat.com/errata/RHSA-2016-0296.html
www.debian.org/security/2016/dsa-3464
www.openwall.com/lists/oss-security/2016/01/25/13
github.com/advisories/GHSA-xrr4-p6fq-hjg7
github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-0752.yml
github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2016-0752.yml
groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00
nvd.nist.gov/vuln/detail/CVE-2016-0752
web.archive.org/web/20210618005620/https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ
web.archive.org/web/20210621170450/www.securityfocus.com/bid/81801
web.archive.org/web/20210723192420/www.securitytracker.com/id/1034816
www.exploit-db.com/exploits/40561