Arbitrary File Read

Affecting actionview gem, versions >=4.2.11, <4.2.11.1 || >=5.0.7, <5.0.7.2 || >=5.1.6, <5.1.6.2 || >=5.2.2, <5.2.2.1

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

actionview is a simple, battle-tested conventions and helpers for building web pages.

Affected versions of this package are vulnerable to Arbitrary File Read. Specially crafted accept headers in combination with calls to render file: could cause arbitrary files on the target server to be rendered, disclosing the file contents.

Remediation

Upgrade actionview to version 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2.1 or higher.

References

CVSS Score

5.9
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:R
Credit
John Hawthorn
CVE
CVE-2019-5418
CWE
CWE-538
Snyk ID
SNYK-RUBY-ACTIONVIEW-173784
Disclosed
13 Mar, 2019
Published
13 Mar, 2019