Information Exposure Affecting actionview package, versions >=3.2.23, <4.1.14.2<3.2.22.2


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.82% (82nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUBY-ACTIONVIEW-20263
  • published28 Feb 2016
  • disclosed28 Feb 2016
  • creditJyoti Singh and Tobias Kraze

Introduced: 28 Feb 2016

CVE-2016-2097  (opens in a new tab)
CWE-200  (opens in a new tab)

Overview

actionview is a conventions and helpers gem for building web pages. Affected versions of this Gem are vulnerable to directory traversal and information leaks. This was meant to be fixed on CVE-2016-0752 but the 3.2 patch was not covering all the scenarios.

Details

Applications that pass unverified user input to the render method in a controller may be vulnerable to an information leak vulnerability.

Impacted code will look something like this:

def index
  render params[:id]
end

Carefully crafted requests can cause the above code to render files from unexpected places like outside the application's view directory, and can possibly escalate this to a remote code execution attack.

All users running an affected release should either upgrade or use one of the workarounds immediately.

A workaround to this issue is to not pass arbitrary user input to the render method. Instead, verify that data before passing it to the render method.

For example, change this:

def index
  render params[:id]
end

To this:

def index
  render verify_template(params[:id])
end

private def verify_template(name)

add verification logic particular to your application here

end

CVSS Scores

version 3.1