CVE-2018-3760
sprockets Critical
Information Disclosure
Discovered over 2 years ago
Published over 2 years ago
Category: Information Disclosure
Severity: Critical

Specially crafted requests can be used to access files that exist on the filesystem that is outside an application’s root directory, when the Sprockets server is used in production.

All users running an affected release should either upgrade or use one of the work arounds immediately.

Workaround: In Rails applications, work around this issue, set config.assets.compile = false and config.public_file_server.enabled = true in an initializer and precompile the assets.

This work around will not be possible in all hosting environments and upgrading is advised.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 2.12.5 < 3.0.0 >= 3.7.2 < 4.0.0 >= 4.0.0.beta8

Unaffected Versions

n/a

References

n/a

CVE-2019-11068
nokogiri Severe
Information Disclosure
Discovered over 1 year ago
Published over 1 year ago
Category: Information Disclosure
Source: GitHub
Severity: Severe

Nokogiri v1.10.3 has been released.

This is a security release. It addresses a CVE in upstream libxslt rated as “Priority: medium” by Canonical, and “NVD Severity: high” by Debian. More details are available below.

If you’re using your distro’s system libraries, rather than Nokogiri’s vendored libraries, there’s no security need to upgrade at this time, though you may want to check with your distro whether they’ve patched this (Canonical has patched Ubuntu packages). Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.

Full details about the security update are available in Github Issue [#1892] https://github.com/sparklemotion/nokogiri/issues/1892.


CVE-2019-11068

Permalinks are: - Canonical: https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11068 - Debian: https://security-tracker.debian.org/tracker/CVE-2019-11068

Description:

libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.

Canonical rates this as “Priority: Medium”.

Debian rates this as “NVD Severity: High (attack range: remote)”.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 1.10.3

Unaffected Versions

n/a

References

n/a

CVE-2016-0752
rails Severe
Attribute Restriction
Discovered almost 5 years ago
Published over 4 years ago
Category: Attribute Restriction
Source: NIST NVD
Severity: Severe

There is a possible directory traversal and information leak vulnerability in Action View. This vulnerability has been assigned the CVE identifier CVE-2016-0752.

Versions Affected: All. Not affected: None. Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1

Impact

Applications that pass unverified user input to the render method in a controller may be vulnerable to an information leak vulnerability.

Impacted code will look something like this:

def index 
  render params[:id] 
end 

Carefully crafted requests can cause the above code to render files from unexpected places like outside the application’s view directory, and can possibly escalate this to a remote code execution attack.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

A workaround to this issue is to not pass arbitrary user input to the render method. Instead, verify that data before passing it to the render method.

For example, change this:

def index 
  render params[:id] 
end 

To this:

def index 
  render verify_template(params[:id]) 
end 

private 
def verify_template(name) 
  # add verification logic particular to your application here 
end 

Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

  • 3-2-render_data_leak.patch - Patch for 3.2 series
  • 4-1-render_data_leak.patch - Patch for 4.1 series
  • 4-2-render_data_leak.patch - Patch for 4.2 series
  • 5-0-render_data_leak.patch - Patch for 5.0 series

Please note that only the 4.1.x and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits

Thanks John Poulin for reporting this!

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None Partial None None
Patched Versions

>= 5.0.0.beta1.1 ~> 4.2.5 >= 4.2.5.1 ~> 4.1.14 >= 4.1.14.1

Unaffected Versions

>= 4.1.0

CVE-2016-2097
rails Severe
Attribute Restriction
Discovered over 4 years ago
Published over 4 years ago
Category: Attribute Restriction
Source: NIST NVD
Severity: Severe

There is a possible directory traversal and information leak vulnerability in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2 patch was not covering all the scenarios. This vulnerability has been assigned the CVE identifier CVE-2016-2097.

Versions Affected: 3.2.x, 4.0.x, 4.1.x Not affected: 4.2+ Fixed Versions: 3.2.22.2, 4.1.14.2

Impact

Applications that pass unverified user input to the render method in a controller may be vulnerable to an information leak vulnerability.

Impacted code will look something like this:

def index
  render params[:id]
end

Carefully crafted requests can cause the above code to render files from unexpected places like outside the application’s view directory, and can possibly escalate this to a remote code execution attack.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

A workaround to this issue is to not pass arbitrary user input to the render method. Instead, verify that data before passing it to the render method.

For example, change this:

def index
  render params[:id]
end

To this:

def index
  render verify_template(params[:id])
end

private
def verify_template(name)
  # add verification logic particular to your application here
end

Patches

To aid users who aren’t able to upgrade immediately we have provided patches for it. It is in git-am format and consist of a single changeset.

  • 3-2-render_data_leak_2.patch - Patch for 3.2 series
  • 4-1-render_data_leak_2.patch - Patch for 4.1 series

Credits

Thanks to both Jyoti Singh and Tobias Kraze from makandra for reporting this and working with us in the patch!

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None Partial None None
Patched Versions

~> 4.1.14 >= 4.1.14.2

Unaffected Versions

>= 4.2.0