Information Exposure

Affecting actionview gem, versions >=3.2.23, <4.1.14.2 || <3.2.22.2

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

actionview is a conventions and helpers gem for building web pages. Affected versions of this Gem are vulnerable to directory traversal and information leaks. This was meant to be fixed on CVE-2016-0752 but the 3.2 patch was not covering all the scenarios.

Details

Applications that pass unverified user input to the render method in a controller may be vulnerable to an information leak vulnerability.

Impacted code will look something like this:

def index
  render params[:id]
end

Carefully crafted requests can cause the above code to render files from unexpected places like outside the application's view directory, and can possibly escalate this to a remote code execution attack.

All users running an affected release should either upgrade or use one of the workarounds immediately.

A workaround to this issue is to not pass arbitrary user input to the render method. Instead, verify that data before passing it to the render method.

For example, change this:

def index
  render params[:id]
end

To this:

def index
  render verify_template(params[:id])
end

private
def verify_template(name)
  # add verification logic particular to your application here
end

References

CVSS Score

5.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Credit
Jyoti Singh and Tobias Kraze
CVE
CVE-2016-2097
CWE
CWE-200
Snyk ID
SNYK-RUBY-ACTIONVIEW-20263
Disclosed
28 Feb, 2016
Published
28 Feb, 2016