Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXByM2gtampoai01NzN4

Sprockets path traversal leads to information leak

Specially crafted requests can be used to access files that exist on the filesystem that is outside an application's root directory, when the Sprockets server is used in production.

All users running an affected release should either upgrade or use one of the work arounds immediately.

Workaround:

In Rails applications, work around this issue, set config.assets.compile = false and config.public_file_server.enabled = true in an initializer and precompile the assets.

This work around will not be possible in all hosting environments and upgrading is advised.

Permalink: https://github.com/advisories/GHSA-pr3h-jjhj-573x
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXByM2gtampoai01NzN4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 6 years ago
Updated: 8 months ago

CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-pr3h-jjhj-573x, CVE-2018-3760
References:

• https://nvd.nist.gov/vuln/detail/CVE-2018-3760
• https://access.redhat.com/errata/RHSA-2018:2244
• https://access.redhat.com/errata/RHSA-2018:2245
• https://access.redhat.com/errata/RHSA-2018:2561
• https://access.redhat.com/errata/RHSA-2018:2745
• https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ
• https://www.debian.org/security/2018/dsa-4242
• https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5
• https://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441
• https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5f
• https://github.com/advisories/GHSA-pr3h-jjhj-573x

Repository: https://github.com/rails/sprockets
Blast Radius: 44.5

Affected Packages