Arbitrary File Existence Exposure Affecting sprockets package, versions < 3.0.0.beta.3, >= 2.13 < 2.12.3, >= 2.12 < 2.11.3, >= 2.11 < 2.10.2, >= 2.10 < 2.9.4, >= 2.9 < 2.8.3, >= 2.8 < 2.7.1, >= 2.6 < 2.5.1, >= 2.5 < 2.4.6, >= 2.4 < 2.3.3, >= 2.3 < 2.2.3, >= 2.2 < 2.1.4, >= 2.1 < 2.0.5


0.0
medium
  • Attack Complexity

    Low

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-RUBY-SPROCKETS-20199

  • published

    29 Oct 2014

  • disclosed

    29 Oct 2014

  • credit

    Eaden McKee, Dennis Hackethal, Christian Hansen, Juan C. Müller, Mike McClurg, Alex Ianus

How to fix?

Upgrade sprockets to versions 2.0.5, 2.1.4, 2.2.3, 2.3.3, 2.4.6, 2.5.1, 2.7.1, 2.8.3, 2.9.4, 2.10.2, 2.11.3, 2.12.3, 3.0.0.beta.3 or higher.

Overview

sprockets is a Rack-based asset packaging system that concatenates and serves JavaScript, CoffeeScript, CSS, LESS, Sass, and SCSS.

Affected versions of this gem are vulnerable to Arbitrary File Existance Disclosure via specially crafted requests that can be used to determine whether a file exists on the filesystem that is outside an application's root directory. The files will not be served, but attackers can determine whether or not the file exists.