Information Exposure

Affecting actionview gem, versions >=4.3.0, <5.0.0 || >=4.2.0, <4.2.5.1 || >=3.2.23, <4.1.14.1 || <3.2.22.1

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

actionview is a conventions and helpers gem for building web pages. Affected versions of this Gem are vulnerable to directory traversal and information leaks.

Details

Applications that pass unverified user input to the render method in a controller may be vulnerable to an information leak vulnerability.

Impacted code will look something like this:

def index
  render params[:id]
end

Carefully crafted requests can cause the above code to render files from unexpected places like outside the application's view directory, and can possibly escalate this to a remote code execution attack.

All users running an affected release should either upgrade or use one of the workarounds immediately.

A workaround to this issue is to not pass arbitrary user input to the render method. Instead, verify that data before passing it to the render method.

For example, change this:

def index
  render params[:id]
end

To this:

def index
  render verify_template(params[:id])
end

private
def verify_template(name)
  # add verification logic particular to your application here
end

References

CVSS Score

7.5
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
Credit
John Poulin
CVE
CVE-2016-0752
CWE
CWE-200
Snyk ID
SNYK-RUBY-ACTIONVIEW-20262
Disclosed
24 Jan, 2016
Published
24 Jan, 2016