Directory Traversal And Information Disclosure

2019-01-1509:10:39

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

JSON

actionview gem is vulnerable to directory traversal and information disclosure. This vulnerability affects applications which pass user input directly into the ‘render’ method in an action view controller without verification. Using this vulnerability, attackers can render files from outside the view directory and potentially perform remote code execution. This CVE is handling the issues for all the scenarios which were not covered in CVE-2016-0752.

CPENameOperatorVersion
rh-ror41-rubygem-actionpackeq4.1.5__2.el6
rh-ror41-rubygem-actionpackeq4.1.5__3.el6
rh-ror41-rubygem-actionvieweq4.1.5__3.el6
rh-ror41-rubygem-actionvieweq4.1.5__4.el6
ror40-rubygem-actionpackeq4.0.2__4.el6
ror40-rubygem-activerecordeq4.0.2__2.2.el6
ror40-rubygem-activerecordeq4.0.2__2.3.el6
ror40-rubygem-activerecordeq4.0.2__2.el6
ror40-rubygem-activesupporteq4.0.2__3.el6
ruby193-rubygem-activesupporteq3.2.8__3.el6

Name	Operator	Version
rh-ror41-rubygem-actionpack	eq	4.1.5__2.el6
rh-ror41-rubygem-actionpack	eq	4.1.5__3.el6
rh-ror41-rubygem-actionview	eq	4.1.5__3.el6
rh-ror41-rubygem-actionview	eq	4.1.5__4.el6
ror40-rubygem-actionpack	eq	4.0.2__4.el6
ror40-rubygem-activerecord	eq	4.0.2__2.2.el6
ror40-rubygem-activerecord	eq	4.0.2__2.3.el6
ror40-rubygem-activerecord	eq	4.0.2__2.el6
ror40-rubygem-activesupport	eq	4.0.2__3.el6
ruby193-rubygem-activesupport	eq	3.2.8__3.el6