CVE-2019-5418
actionview Critical
File Access
Discovered over 1 year ago
Published over 1 year ago
Category: File Access
Severity: Critical

There is a possible file content disclosure vulnerability in Action View. This vulnerability has been assigned the CVE identifier CVE-2019-5418.

Versions Affected: All. Not affected: None. Fixed Versions: 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1

Impact

There is a possible file content disclosure vulnerability in Action View. Specially crafted accept headers in combination with calls to render file: can cause arbitrary files on the target server to be rendered, disclosing the file contents.

The impact is limited to calls to render which render file contents without a specified accept format. Impacted code in a controller looks something like this:

class UserController < ApplicationController
  def index
    render file: "#{Rails.root}/some/file"
  end
end

Rendering templates as opposed to files is not impacted by this vulnerability.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are available at the normal locations.

Workarounds

This vulnerability can be mitigated by specifying a format for file rendering, like this:

class UserController < ApplicationController
  def index
    render file: "#{Rails.root}/some/file", formats: [:html]
  end
end

In summary, impacted calls to render look like this:

render file: "#{Rails.root}/some/file"

The vulnerability can be mitigated by changing to this:

render file: "#{Rails.root}/some/file", formats: [:html]

Other calls to render are not impacted.

Alternatively, the following monkey patch can be applied in an initializer:

$ cat config/initializers/formats_filter.rb
# frozen_string_literal: true

ActionDispatch::Request.prepend(Module.new do
  def formats
    super().select do |format|
      format.symbol || format.ref == "*/*"
    end
  end
end)

Credits

Thanks to John Hawthorn john@hawthorn.email of GitHub

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

~> 4.2.11 >= 4.2.11.1 ~> 5.0.7 >= 5.0.7.2 ~> 5.1.6 >= 5.1.6.2 ~> 5.2.2 >= 5.2.2.1 >= 6.0.0.beta3

Unaffected Versions

n/a

References

n/a

CVE-2014-7829
rails Severe
File Access
Discovered over 5 years ago
Published almost 6 years ago
Category: File Access
Source: NIST NVD
Severity: Severe

Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application’s root directory. The files will not be served, but attackers can determine whether or not the file exists. This vulnerability is very similar to CVE-2014-7818, but the specially crafted string is slightly different.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None Partial None None
Patched Versions

~> 3.2.21 ~> 4.0.11.1 ~> 4.0.12 ~> 4.1.7.1 >= 4.1.8

Unaffected Versions

< 3.0.0

CVE-2014-7818
rails Moderate
File Access
Discovered over 5 years ago
Published almost 6 years ago
Category: File Access
Source: NIST NVD
Severity: Moderate

Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application’s root directory. The files will not be served, but attackers can determine whether or not the file exists.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None Partial None None
Patched Versions

~> 3.2.20 ~> 4.0.11 ~> 4.1.7 >= 4.2.0.beta3

Unaffected Versions

< 3.0.0

CVE-2014-0130
rails Moderate
Attribute Restriction
Discovered over 5 years ago
Published over 6 years ago
Category: Attribute Restriction
Source: NIST NVD
Severity: Moderate

There is a vulnerability in the ‘implicit render’ functionality in Ruby on Rails.The implicit render functionality allows controllers to render a template, even if there is no explicit action with the corresponding name. This module does not perform adequate input sanitization which could allow an attacker to use a specially crafted request to retrieve arbitrary files from the rails application server.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None Partial None None
Patched Versions

~> 3.2.18 ~> 4.0.5 >= 4.1.1

Unaffected Versions

n/a

CVE-2017-8418
rubocop Moderate
File Access
Discovered over 2 years ago
Published over 3 years ago
Category: File Access
Source: GitHub
Severity: Moderate

RuboCop 0.48.1 and earlier does not use /tmp in safe way, allowing local users to exploit this to tamper with cache files belonging to other users.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 0.49.0

Unaffected Versions

n/a

References

n/a