Directory traversal vulnerability in Action View in Ruby on Rails before
3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary
files by leveraging an application’s unrestricted use of the render method
and providing a … (dot dot) in a pathname. NOTE: this vulnerability
exists because of an incomplete fix for CVE-2016-0752.

Notes

Author	Note
seth-arnold	In Oneiric-Saucy, rails package is just for transition; The rails package contains actual code from vivid onward

References

launchpad.net/bugs/cve/CVE-2016-2097

nvd.nist.gov/vuln/detail/CVE-2016-2097

security-tracker.debian.org/tracker/CVE-2016-2097

www.cve.org/CVERecord?id=CVE-2016-2097

osv 4

attackerkb 2

seebug 2

hackerone 3

cve 2

prion 2

veracode 2

github 3

debiancve 2

rubygems 4

debian 6

nessus 11

openvas 14

zdt 1

fedora 4

saint 3

packetstorm 1

metasploit 1

checkpoint_advisories 1

ubuntucve 1

cisa_kev 1

gitlab 2

redhat 4

exploitdb 1

suse 4

freebsd 2

ibm 2

kitploit 1

osv

actionview contains Path Traversal vulnerability

2017-10-24 18:33:35

rails - security update

2016-03-09 00:00:00

Directory traversal vulnerability in Action View in Ruby on Rails

2017-10-24 18:33:35

attackerkb

CVE-2016-2097

2016-04-07 00:00:00

CVE-2016-0752

2016-02-16 00:00:00

seebug

Ruby on Rails Action View 信息泄漏

2016-03-17 00:00:00

Rails Dynamic Render 远程命令执行漏洞 (CVE-2016-0752)

2016-01-27 00:00:00

hackerone

Ruby on Rails: Regarding [CVE-2016-0752] Possible Information Leak Vulnerability in Action View

2016-02-01 10:00:34

Ruby on Rails: Explicit, dynamic render path: Dir. Trav + RCE

2015-02-01 14:34:27

Ruby on Rails: Remote code execution using render :inline

2016-02-01 19:18:59

cve

CVE-2016-2097

2016-04-07 23:59:00

CVE-2016-0752

2016-02-16 02:59:00

prion

Directory traversal

2016-04-07 23:59:00

Directory traversal

2016-02-16 02:59:00

veracode

Directory Traversal And Information Disclosure

2019-01-15 09:10:39

Remote Code Execution (RCE) And Information Disclosure

2016-01-26 05:48:59

github

actionview contains Path Traversal vulnerability

2017-10-24 18:33:35

Moderate severity vulnerability that affects actionview

2018-08-13 20:48:52

Directory traversal vulnerability in Action View in Ruby on Rails

2017-10-24 18:33:35

debiancve

CVE-2016-2097

2016-04-07 23:59:00

CVE-2016-0752

2016-02-16 02:59:00

rubygems

Possible Information Leak Vulnerability in Action View

2016-02-28 21:00:00

Possible Information Leak Vulnerability in Action View

2016-02-28 21:00:00

Possible Information Leak Vulnerability in Action View

2016-01-24 21:00:00

debian

[SECURITY] [DSA 3509-1] rails security update

2016-03-09 17:48:46

[SECURITY] [DSA 3509-1] rails security update

2016-03-09 17:36:11

[SECURITY] [DSA 3509-1] rails security update

2016-03-09 17:48:46

nessus

Debian DSA-3509-1 : rails - security update

2016-03-10 00:00:00

Fedora 23 : rubygem-actionview-4.2.3-3.fc23 (2016-97002ad37b)

2016-03-04 00:00:00

Fedora 22 : rubygem-actionview-4.2.0-3.fc22 (2016-fa0dec2360)

2016-03-04 00:00:00

openvas

Debian: Security Advisory (DSA-3509-1)

2016-03-08 00:00:00

Debian Security Advisory DSA 3509-1 (rails - security update)

2016-03-09 00:00:00

Fedora Update for rubygem-actionview FEDORA-2016-97002

2016-02-29 00:00:00

zdt

Ruby on Rails Dynamic Render File Upload Remote Code Execution

2016-10-15 00:00:00

fedora

[SECURITY] Fedora 22 Update: rubygem-actionview-4.2.0-3.fc22

2016-02-28 08:31:07

[SECURITY] Fedora 23 Update: rubygem-actionview-4.2.3-3.fc23

2016-02-28 12:29:19

[SECURITY] Fedora 22 Update: rubygem-actionpack-4.2.0-3.fc22

2016-02-28 08:31:04

saint

Ruby on Rails Dynamic Render code execution

2016-11-11 00:00:00

Ruby on Rails Dynamic Render code execution

2016-11-11 00:00:00

Ruby on Rails Dynamic Render code execution

2016-11-11 00:00:00

packetstorm

Ruby on Rails Dynamic Render File Upload Remote Code Execution

2016-10-13 00:00:00

metasploit

Ruby on Rails Dynamic Render File Upload Remote Code Execution

2016-10-10 22:36:20

checkpoint_advisories

Ruby On Rails Directory Traversal (CVE-2016-0752)

2022-04-19 00:00:00

ubuntucve

CVE-2016-0752

2016-02-16 00:00:00

cisa_kev

Ruby on Rails Directory Traversal Vulnerability

2022-03-25 00:00:00

gitlab

Possible Information Leak Vulnerability

2016-02-15 00:00:00

Possible Information Leak Vulnerability

2016-04-07 00:00:00

redhat

(RHSA-2016:0455) Important: ruby193 security update

2016-03-15 00:00:00

(RHSA-2016:0454) Important: ror40 security update

2016-03-15 00:00:00

(RHSA-2016:0456) Important: rh-ror41 security update

2016-03-15 00:00:00

exploitdb

Ruby on Rails - Dynamic Render File Upload / Remote Code Execution (Metasploit)

2016-10-17 00:00:00

suse

Security update for rubygem-actionpack-3_2 (important)

2016-03-19 16:13:08

Security update for rubygem-actionpack-3_2 (important)

2016-04-07 13:08:19

Security update for rubygem-actionview-4_1 (important)

2016-03-22 18:08:06

freebsd

rails -- multiple vulnerabilities

2016-02-29 00:00:00

rails -- multiple vulnerabilities

2016-01-25 00:00:00

ibm

Security Bulletin: Vulnerabilities in Ruby on Rails affect IBM License Metric Tool v9 and IBM BigFix Inventory v9 (CVE-2016-2098 CVE-2016-2097)

2022-08-19 21:04:31

Security Bulletin: Vulnerabilities in Ruby on Rails affect IBM License Metric Tool v9, IBM BigFix Inventory v9 and IBM Endpoint Manager for Software Use Analysis v9 & v2.2

2021-04-26 21:17:25

kitploit

Master_Librarian - A Simple Tool To Audit Unix/*BSD/Linux System Libraries To Find Public Security Vulnerabilities

2022-03-09 20:30:00

Products

Security Intelligence
Non-intrusive assessment
Developers SDK
Windows scanner
Linux scanner
Perimeter control tool
MSSP

Database

Vulnerabilities
Exploits
IOC
Security News
BugBounty
Popular
Wild Exploited
Top Vulnerabilities

Tools

Linux Security Scanner
API integration
Subscriptions
Plugins
Manual Audit

Learn More

Stats
API
Docs
Api-keys
License
Pricing
Glossary
FAQ

Company

Blog
Contacts
About Us
OpenSource
EULA
Brand Guideline
Privacy Policy

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please contact us. Using Vulners services you are accepting Vulners services end-user license agreement

@2024 Vulners Inc

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.011 Low

EPSS

Percentile

84.3%

JSON

Related for UB:CVE-2016-2097