Directory traversal vulnerability in Action View in Ruby on Rails

RSS Feed HIGH

GHSA-xrr4-p6fq-hjg7 CVE-2016-0752

Description:

Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname.

Affected Packages

Ecosystem	Package	Vulnerable Versions	Patched Version
rubygems	`actionview`	`>= 4.2.0, <= 4.2.5.0` `>= 4.0.0, <= 4.1.14.0`	`4.2.5.1`

Related Dependabot Pull Requests

All Open Closed Merged

No Related Pull Requests

No Dependabot pull requests have been found that reference this security advisory.

Actions

View on GitHub All Advisories

Advisory Details

Published:	October 24, 2017 over 8 years ago
Updated:	June 04, 2026 about 1 hour ago
CVSS Score:	7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
EPSS:	90.49% 100th percentile
Source:	Github
Classification:	GENERAL
UUID:	`MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhycjQtcDZmcS1oamc3`

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Dependabot