-
-
Notifications
You must be signed in to change notification settings - Fork 221
/
Copy pathCVE-2016-2097.yml
89 lines (72 loc) · 2.33 KB
/
CVE-2016-2097.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
---
gem: actionpack
framework: rails
cve: 2016-2097
ghsa: vx9j-46rh-fqr8
url: https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4
title: Possible Information Leak Vulnerability in Action View
date: 2016-02-29
description: |
There is a possible directory traversal and information leak vulnerability
in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2
patch was not covering all the scenarios. This vulnerability has been
assigned the CVE identifier CVE-2016-2097.
Versions Affected: 3.2.x, 4.0.x, 4.1.x
Not affected: 4.2+
Fixed Versions: 3.2.22.2, 4.1.14.2
Impact
------
Applications that pass unverified user input to the `render` method in a
controller may be vulnerable to an information leak vulnerability.
Impacted code will look something like this:
```ruby
def index
render params[:id]
end
```
Carefully crafted requests can cause the above code to render files from
unexpected places like outside the application's view directory, and can
possibly escalate this to a remote code execution attack.
All users running an affected release should either upgrade or use one of the
workarounds immediately.
Releases
--------
The FIXED releases are available at the normal locations.
Workarounds
-----------
A workaround to this issue is to not pass arbitrary user input to the `render`
method. Instead, verify that data before passing it to the `render` method.
For example, change this:
```ruby
def index
render params[:id]
end
```
To this:
```ruby
def index
render verify_template(params[:id])
end
private
def verify_template(name)
# add verification logic particular to your application here
end
```
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches
for it. It is in git-am format and consist of a single changeset.
* 3-2-render_data_leak_2.patch - Patch for 3.2 series
* 4-1-render_data_leak_2.patch - Patch for 4.1 series
Credits
-------
Thanks to both Jyoti Singh and Tobias Kraze from makandra for reporting this
and working with us in the patch!
cvss_v3: 5.3
unaffected_versions:
- ">= 4.1.0"
patched_versions:
- "~> 3.2.22.2"
- "~> 4.1.14"
- ">= 4.1.14.2"
notes: "Newer versions are affected, but tracked in the actionview gem."