Vulnerability CVE-2018-3760


Published: 2018-06-26

Description:
There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application's root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.

Type:

CWE-200

(Information Exposure)

Vendor: Debian
Product: Debian linux 
Version: 9.0;
Vendor: Redhat
Product: Enterprise linux 
Version:
7.5
7.4
7.3
7.0
6.7
6
Product: Enterprise linux server 
Version: 7.0; 6.0;
Product: Enterprise linux workstation 
Version: 7.0; 6.0;
Vendor: Sprockets project
Product: Sprockets 
Version:
4.0.0
3.0.0
2.9.3
2.8.2
2.7.0
2.6.0
2.5.0
2.4.5
2.3.2
2.2.2
2.12.2
2.11.2
2.10.1
2.1.3
2.0.5

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

 References:
https://access.redhat.com/errata/RHSA-2018:2244
https://access.redhat.com/errata/RHSA-2018:2245
https://access.redhat.com/errata/RHSA-2018:2561
https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5fhttps://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5
https://www.debian.org/security/2018/dsa-4242

Copyright 2018, cxsecurity.com

 

Back to Top