Описание
There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application's root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.
Меры по смягчению последствий
Ensure config.assets.compile = false in production.rb.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ceph Storage 1.3 | ruby193-rubygem-sprockets | Will not fix | ||
| Red Hat Satellite 6 | ruby193-rubygem-sprockets | Not affected | ||
| Red Hat Subscription Asset Manager | ruby193-rubygem-sprockets | Will not fix | ||
| CloudForms Management Engine 5.8 | ansible-tower | Fixed | RHSA-2018:2745 | 26.09.2018 |
| CloudForms Management Engine 5.8 | cfme | Fixed | RHSA-2018:2745 | 26.09.2018 |
| CloudForms Management Engine 5.8 | cfme-appliance | Fixed | RHSA-2018:2745 | 26.09.2018 |
| CloudForms Management Engine 5.8 | cfme-gemset | Fixed | RHSA-2018:2745 | 26.09.2018 |
| CloudForms Management Engine 5.8 | rh-postgresql95-postgresql-pglogical | Fixed | RHSA-2018:2745 | 26.09.2018 |
| CloudForms Management Engine 5.9 | cfme | Fixed | RHSA-2018:2561 | 04.09.2018 |
| CloudForms Management Engine 5.9 | cfme-amazon-smartstate | Fixed | RHSA-2018:2561 | 04.09.2018 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application's root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.
There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application's root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.
There is an information leak vulnerability in Sprockets. Versions Affe ...
EPSS
7.5 High
CVSS3