There is a possible directory traversal and information leak vulnerability
in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2
patch was not covering all the scenarios. This vulnerability has been
assigned the CVE identifier CVE-2016-2097.
Versions Affected: 3.2.x, 4.0.x, 4.1.x
Not affected: 4.2+
Fixed Versions: 3.2.22.2, 4.1.14.2
Applications that pass unverified user input to the render
method in a
controller may be vulnerable to an information leak vulnerability.
Impacted code will look something like this:
def index
render params[:id]
end
Carefully crafted requests can cause the above code to render files from
unexpected places like outside the applicationβs view directory, and can
possibly escalate this to a remote code execution attack.
All users running an affected release should either upgrade or use one of the
workarounds immediately.
The FIXED releases are available at the normal locations.
A workaround to this issue is to not pass arbitrary user input to the render
method. Instead, verify that data before passing it to the render
method.
For example, change this:
def index
render params[:id]
end
To this:
def index
render verify_template(params[:id])
end
private
def verify_template(name)
# add verification logic particular to your application here
end
To aid users who arenβt able to upgrade immediately we have provided patches
for it. It is in git-am format and consist of a single changeset.
Thanks to both Jyoti Singh and Tobias Kraze from makandra for reporting this
and working with us in the patch!
CPE | Name | Operator | Version |
---|---|---|---|
actionview | lt | 4.2.0 | |
actionview | le | 4.1.14.1 | |
actionview | ge | 4.1.15.0 |