logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2016-2097 actionview

Package

Manager: gem
Name: actionview
Vulnerable Version: >=3.0.0 <3.2.22.2 || >=4.0.0 <4.1.14.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.02816 pctl0.85599

Details

actionview contains Path Traversal vulnerability There is a possible directory traversal and information leak vulnerability in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2 patch was not covering all possible scenarios. This vulnerability has been assigned the CVE identifier CVE-2016-2097. Versions Affected: 3.2.x, 4.0.x, 4.1.x Not affected: 4.2+ Fixed Versions: 3.2.22.2, 4.1.14.2 Impact ------ Applications that pass unverified user input to the `render` method in a controller may be vulnerable to an information leak vulnerability. Impacted code will look something like this: ```ruby def index render params[:id] end ``` Carefully crafted requests can cause the above code to render files from unexpected places like outside the application's view directory, and can possibly escalate this to a remote code execution attack. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- A workaround to this issue is to not pass arbitrary user input to the `render` method. Instead, verify that data before passing it to the `render` method. For example, change this: ```ruby def index render params[:id] end ``` To this: ```ruby def index render verify_template(params[:id]) end private def verify_template(name) # add verification logic particular to your application here end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for it. It is in git-am format and consist of a single changeset. * 3-2-render_data_leak_2.patch - Patch for 3.2 series * 4-1-render_data_leak_2.patch - Patch for 4.1 series Credits ------- Thanks to both Jyoti Singh and Tobias Kraze from makandra for reporting this and working with us in the patch!

Metadata

Created: 2017-10-24T18:33:35Z
Modified: 2023-07-05T20:44:17Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-vx9j-46rh-fqr8/GHSA-vx9j-46rh-fqr8.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-vx9j-46rh-fqr8
Finding: F063
Auto approve: 1