CVE-2016-0752: Directory traversal vulnerability in Action View in Ruby on Rails
(updated )
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application’s unrestricted use of the render method and providing a .. (dot dot) in a pathname.
References
- github.com/advisories/GHSA-xrr4-p6fq-hjg7
- github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-0752.yml
- github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2016-0752.yml
- groups.google.com/forum/
- groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ
- nvd.nist.gov/vuln/detail/CVE-2016-0752
- web.archive.org/web/20210618005620/https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ
- web.archive.org/web/20210621170450/http://www.securityfocus.com/bid/81801
- web.archive.org/web/20210723192420/http://www.securitytracker.com/id/1034816
- www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-0752
- www.exploit-db.com/exploits/40561
Code Behaviors & Features
Detect and mitigate CVE-2016-0752 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →