Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJwd2YteHdyMy1ocDU1
Moderate severity vulnerability that affects actionview
Withdrawn, accidental duplicate publish.
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752.
Permalink: https://github.com/advisories/GHSA-2pwf-xwr3-hp55JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJwd2YteHdyMy1ocDU1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 5 years ago
Updated: over 1 year ago Widthdrawn: almost 4 years ago
Identifiers: GHSA-2pwf-xwr3-hp55
References: Blast Radius: 0.0
Affected Packages
rubygems:actionview
Dependent packages: 354Dependent repositories: 601,072
Downloads: 475,633,483 total
Affected Version Ranges: >= 4.0.0, <= 4.1.14.1, >= 3.2.0, <= 3.2.22.1
Fixed in: 4.1.14.2, 3.2.22.2
All affected versions: 4.1.0, 4.1.1-0.rc1, 4.1.1-0.rc2, 4.1.1-0.rc3, 4.1.1-0.rc4, 4.1.1-2.rc1, 4.1.1-3.rc1, 4.1.1-4.1
All unaffected versions: 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.1.9, 4.1.10, 4.1.11, 4.1.12, 4.1.13, 4.1.14, 4.1.15, 4.1.16, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.2.11, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.1.0, 7.1.1, 7.1.2, 7.1.3