First published: Wed Jun 20 2018(Updated: )
Specially crafted requests can be used to access files that exist on the filesystem that is outside an application's root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately. ### Workaround: In Rails applications, work around this issue, set `config.assets.compile = false` and `config.public_file_server.enabled = true` in an initializer and precompile the assets. This work around will not be possible in all hosting environments and upgrading is advised.
Credit: support@hackerone.com support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
rubygems/sprockets | >=4.0.0.beta1<=4.0.0.beta7 | 4.0.0.beta8 |
rubygems/sprockets | >=3.0.0<3.7.2 | 3.7.2 |
rubygems/sprockets | <2.12.5 | 2.12.5 |
redhat/rubygem-sprockets | <4.0.0 | 4.0.0 |
redhat/rubygem-sprockets | <3.7.2 | 3.7.2 |
redhat/rubygem-sprockets | <2.12.5 | 2.12.5 |
debian/ruby-sprockets | 3.7.2-1 3.7.2-4 | |
Redhat Cloudforms | =4.5 | |
Redhat Cloudforms | =4.6 | |
Redhat Enterprise Linux | =6.0 | |
Redhat Enterprise Linux | =6.7 | |
Redhat Enterprise Linux | =7.0 | |
Redhat Enterprise Linux | =7.3 | |
Redhat Enterprise Linux | =7.4 | |
Redhat Enterprise Linux | =7.5 | |
Redhat Enterprise Linux | =7.6 | |
Sprockets Project Sprockets | >=2.0.0<=2.12.4 | |
Sprockets Project Sprockets | >=3.0.0<=3.7.1 | |
Sprockets Project Sprockets | =4.0.0-beta1 | |
Sprockets Project Sprockets | =4.0.0-beta2 | |
Sprockets Project Sprockets | =4.0.0-beta3 | |
Sprockets Project Sprockets | =4.0.0-beta4 | |
Sprockets Project Sprockets | =4.0.0-beta5 | |
Sprockets Project Sprockets | =4.0.0-beta6 | |
Sprockets Project Sprockets | =4.0.0-beta7 | |
Debian Debian Linux | =9.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-3760 is an information leak vulnerability in Sprockets that allows specially crafted requests to access files outside of an application's root directory.
Versions 4.0.0.beta7 and lower 3.x versions of Sprockets are affected by CVE-2018-3760.
CVE-2018-3760 has a severity rating of 7.5 (high).
Affected users should upgrade to version 4.0.0.beta8 or use one of the workarounds provided.
More information about CVE-2018-3760 can be found at the following links: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2018-3760), [Red Hat Security Advisories](https://access.redhat.com/errata/RHSA-2018:2244,https://access.redhat.com/errata/RHSA-2018:2245).