Information Exposure Affecting actionview package, versions >=3.2.23, <4.1.14.2 <3.2.22.2
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-ACTIONVIEW-20263
- published 28 Feb 2016
- disclosed 28 Feb 2016
- credit Jyoti Singh and Tobias Kraze
Introduced: 28 Feb 2016
CVE-2016-2097 Open this link in a new tabOverview
actionview is a conventions and helpers gem for building web pages.
Affected versions of this Gem are vulnerable to directory traversal and information leaks. This was meant to be fixed on CVE-2016-0752 but the 3.2 patch was not covering all the scenarios.
Details
Applications that pass unverified user input to the render method in a controller may be vulnerable to an information leak vulnerability.
Impacted code will look something like this:
def index
render params[:id]
end
Carefully crafted requests can cause the above code to render files from unexpected places like outside the application's view directory, and can possibly escalate this to a remote code execution attack.
All users running an affected release should either upgrade or use one of the workarounds immediately.
A workaround to this issue is to not pass arbitrary user input to the render method. Instead, verify that data before passing it to the render method.
For example, change this:
def index
render params[:id]
end
To this:
def index
render verify_template(params[:id])
end
private
def verify_template(name)
add verification logic particular to your application here
end