logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2019-5418 actionview

Package

Manager: gem
Name: actionview
Vulnerable Version: >=5.2.0 <5.2.2.1 || >=4.0.0 <4.2.11.1 || >=5.1.0 <5.1.6.2 || >=5.0.0 <5.0.7.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.94336 pctl0.99949

Details

Path Traversal in Action View # File Content Disclosure in Action View Impact ------ There is a possible file content disclosure vulnerability in Action View. Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents. The impact is limited to calls to `render` which render file contents without a specified accept format. Impacted code in a controller looks something like this: ``` ruby class UserController < ApplicationController def index render file: "#{Rails.root}/some/file" end end ``` Rendering templates as opposed to files is not impacted by this vulnerability. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are available at the normal locations. Workarounds ----------- This vulnerability can be mitigated by specifying a format for file rendering, like this: ``` ruby class UserController < ApplicationController def index render file: "#{Rails.root}/some/file", formats: [:html] end end ``` In summary, impacted calls to `render` look like this: ``` render file: "#{Rails.root}/some/file" ``` The vulnerability can be mitigated by changing to this: ``` render file: "#{Rails.root}/some/file", formats: [:html] ``` Other calls to `render` are not impacted. Alternatively, the following monkey patch can be applied in an initializer: ``` ruby $ cat config/initializers/formats_filter.rb # frozen_string_literal: true ActionDispatch::Request.prepend(Module.new do def formats super().select do |format| format.symbol || format.ref == "*/*" end end end) ``` Credits ------- Thanks to John Hawthorn <john@hawthorn.email> of GitHub

Metadata

Created: 2019-03-13T17:26:59Z
Modified: 2025-07-09T14:58:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-86g5-2wh3-gc9j/GHSA-86g5-2wh3-gc9j.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-86g5-2wh3-gc9j
Finding: F063
Auto approve: 1