HIGH🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2016-0752

CVSS 7.5v3.1pub. 2016-02-16upd. 2026-04-22

Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Debian

    OS
    Debian
    8.0
  • Opensuse Leap

    OS
    Opensuse
    42.1
  • Opensuse

    OS
    Opensuse
    13.2
  • Red Hat Software Collections

    APP
    Redhat
    1.0
  • Rubyonrails Rails

    APP
    Rubyonrails
    5.0.04.2.0 – 4.2.5.1 (bez)4.0.0 – 4.1.14.1 (bez)< 3.2.22.1
  • SUSE Linux Enterprise Module For Containers

    OS
    Suse
    12

CISA KEV — detailsi

Vendori
Rails
Producti
Ruby on Rails
Added to KEVi
March 25, 2022
Remediation deadline (US Federal)i
April 15, 2022(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

Directory traversal vulnerability in Action View in Ruby on Rails allows remote attackers to read arbitrary files.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 15 kwietnia 2022
Tags
Path Traversal
CWE
References

Related vulnerabilities

CVE-2026-24061CRITICAL9.8⚠ KEVPL ✓ten sam produkt

GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER

CVE-2025-32463CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)

CVE-2025-49113CRITICAL9.9⚠ KEVPL ✓ten sam produkt

RCE przez deserializację PHP w Roundcube Webmail (parametr _from)

CVE-2025-32433CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)

CVE-2025-24201CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki