Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request.
oryginał ENCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NRed Hat Enterprise Linux Server
OSRedhat6.0Red Hat Subscription Asset Manager
APPRedhat≤ 1.3.0Rubyonrails Rails
APPRubyonrails< 3.2.184.0.0 – 4.0.5 (bez)4.1.0 – 4.1.1 (bez)
CISA KEV — szczegółyi
- Dostawcai
- Rails
- Produkti
- Ruby on Rails
- Data dodania do KEVi
- 25 marca 2022
- Termin remediation (USA)i
- 15 kwietnia 2022(po terminie)
Zastosuj aktualizacje zgodnie z instrukcjami producenta.
▸ Pokaż oryginał (EN)
Apply updates per vendor instructions.
LukaDirectory traversal w actionpack/lib/abstract_controller/base.rb w implementacji implicit-render w Ruby on Rails pozwala zdalnym atakującym na odczytanie dowolnych plików poprzez spreparowane żądanie.
▸ Pokaż oryginał (EN)
Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails allows remote attackers to read arbitrary files via a crafted request.
Powiązane podatności
A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remot...
OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware has evaluated the s...
Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier allows remote attackers to execute arbi...
Adobe Flash Player 21.0.0.226 and earlier allows remote attackers to execute arbitrary code via unspecified ve...
Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 ...