Описание
A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure.
A directory traversal vulnerability was found in the Rack::Directory app that is bundled with Rack. If certain directories exist in a director managed by the Rack::Directory, this flaw allows an attacker to read the contents of files on the server outside of the root specified in the Rack::Directory initializer. The highest threat from this vulnerability is to confidentiality.
Отчет
Because the following products package the flawed code, but do not use its functionality (Rack::Directory), their impact has been reduced to 'Low':
- Red Hat CloudForms
- Red Hat OpenStack Platform 13.0 Operational Tools
- Red Hat Gluster Storage 3 Red Hat Satellite 6 ships the affected version of RubyGem Rack and is vulnerable to the flaw. However, because attackers require shell access to exploit the vulnerability, Red Hat Product Security has rated this issue as having the security impact of Low for Satellite. A future update might address this issue.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| CloudForms Management Engine 5 | cfme-amazon-smartstate | Fix deferred | ||
| CloudForms Management Engine 5 | cfme-gemset | Fix deferred | ||
| Red Hat OpenStack Platform 10 (Newton) Operational Tools | rubygem-rack | Out of support scope | ||
| Red Hat OpenStack Platform 13 (Queens) Operational Tools | rubygem-rack | Fix deferred | ||
| Red Hat Satellite 6 | tfm-ror52-rubygem-rack | Affected | ||
| Red Hat Storage 3 | rubygem-rack | Affected | ||
| Red Hat Satellite 6.8 for RHEL 7 | ansible-collection-redhat-satellite | Fixed | RHSA-2020:4366 | 27.10.2020 |
| Red Hat Satellite 6.8 for RHEL 7 | ansiblerole-foreman_scap_client | Fixed | RHSA-2020:4366 | 27.10.2020 |
| Red Hat Satellite 6.8 for RHEL 7 | ansiblerole-insights-client | Fixed | RHSA-2020:4366 | 27.10.2020 |
| Red Hat Satellite 6.8 for RHEL 7 | ansiblerole-satellite-receptor-installer | Fixed | RHSA-2020:4366 | 27.10.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.9 Medium
CVSS3
Связанные уязвимости
A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure.
A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure.
A directory traversal vulnerability exists in rack < 2.2.0 that allows ...
Directory traversal in Rack::Directory app bundled with Rack
Уязвимость функции check_forbidden из rack/directory.rb модульного интерфейса между веб-серверами и веб-приложениями Rack, позволяющая нарушителю получить доступ к конфиденциальным данным
EPSS
5.9 Medium
CVSS3