QwikSec

Security Database

CVE

CWE

Training

CVE-2016-2097

Published: Apr 7, 2016

Modified: Aug 5, 2024

PUBLISHED

Description

Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

SUSE-SU-2016:0967

vendor-advisory

x_refsource_SUSE

vendor-advisory

x_refsource_DEBIAN

[ruby-security-ann] 20160229 [CVE-2016-0752] Possible Information Leak Vulnerability in Action View

mailing-list

x_refsource_MLIST

vdb-entry

x_refsource_SECTRACK

SUSE-SU-2016:0854

vendor-advisory

x_refsource_SUSE

vdb-entry

x_refsource_BID

openSUSE-SU-2016:0835

vendor-advisory

x_refsource_SUSE

http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.