Directory Traversal When Route Globbing Configurations Are Enabled

2019-01-1508:55:13

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

JSON

Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request.

CPENameOperatorVersion
ruby193-rubygem-actionpackeq3.2.8__13.el6
ruby193-rubygem-actionpackeq3.2.13__6.el6cf
ruby193-rubygem-actionpackeq3.2.13__4.el6cf
ruby193-rubygem-actionpackeq3.2.8__15.el6sat
ruby193-rubygem-actionpackeq3.2.8__5.1.el6
ruby193-rubygem-actionpackeq3.2.8__3.el6
ruby193-rubygem-actionpackeq3.2.8__5.5.el6
ruby193-rubygem-actionpackeq3.2.13__5.el6cf
ruby193-rubygem-actionpackeq3.2.8__11.el6_4
ruby193-rubygem-actionpackeq3.2.8__1.el6

Name	Operator	Version
ruby193-rubygem-actionpack	eq	3.2.8__13.el6
ruby193-rubygem-actionpack	eq	3.2.13__6.el6cf
ruby193-rubygem-actionpack	eq	3.2.13__4.el6cf
ruby193-rubygem-actionpack	eq	3.2.8__15.el6sat
ruby193-rubygem-actionpack	eq	3.2.8__5.1.el6
ruby193-rubygem-actionpack	eq	3.2.8__3.el6
ruby193-rubygem-actionpack	eq	3.2.8__5.5.el6
ruby193-rubygem-actionpack	eq	3.2.13__5.el6cf
ruby193-rubygem-actionpack	eq	3.2.8__11.el6_4
ruby193-rubygem-actionpack	eq	3.2.8__1.el6