CVE-2019-18978

Published: Nov 14, 2019

Modified: Aug 5, 2024

PUBLISHED

Description

An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/cyu/rack-cors/commit/e4d4fc362a4315808927011cbe5afcfe5486f17d

x_refsource_MISC

https://github.com/cyu/rack-cors/compare/v1.0.3...v1.0.4

x_refsource_MISC

[debian-lts-announce] 20200206 [SECURITY] [DLA 2096-1] ruby-rack-cors security update

mailing-list

x_refsource_MLIST

[debian-lts-announce] 20201001 [SECURITY] [DLA 2389-1] ruby-rack-cors security update

mailing-list

x_refsource_MLIST

USN-4571-1

vendor-advisory

x_refsource_UBUNTU

DSA-4918

vendor-advisory

x_refsource_DEBIAN

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2019-18978

Description

Affected Products

References