HIGH🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2019-5418

CVSS 7.5v3.1pub. 2019-03-27upd. 2025-10-30

There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Debian

    OS
    Debian
    8.0
  • Fedora Project Fedora

    OS
    Fedoraproject
    30
  • Opensuse Leap

    OS
    Opensuse
    15.0
  • Red Hat Cloudforms

    APP
    Redhat
    4.64.7
  • Red Hat Software Collections

    APP
    Redhat
    1.0
  • Rubyonrails Rails

    APP
    Rubyonrails
    5.2.0 – 5.2.2.1 (bez)5.1.0 – 5.1.6.2 (bez)5.0.0 – 5.0.7.2 (bez)3.0.0 – 4.2.11.1 (bez)

CISA KEV — detailsi

Vendori
Rails
Producti
Ruby on Rails
Added to KEVi
July 7, 2025
Remediation deadline (US Federal)i
July 28, 2025(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Rails Ruby on Rails contains a path traversal vulnerability in Action View. Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 28 lipca 2025
Tags
Path Traversal
CWE
References

Related vulnerabilities

CVE-2026-24061CRITICAL9.8⚠ KEVPL ✓ten sam produkt

GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER

CVE-2025-32463CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)

CVE-2025-49113CRITICAL9.9⚠ KEVPL ✓ten sam produkt

RCE przez deserializację PHP w Roundcube Webmail (parametr _from)

CVE-2025-32433CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)

CVE-2025-24201CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki