CVE-2018-3760: Path Traversal
First published: Wed Jun 20 2018(Updated: )
Specially crafted requests can be used to access files that exist on the filesystem that is outside an application's root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately. ### Workaround: In Rails applications, work around this issue, set `config.assets.compile = false` and `config.public_file_server.enabled = true` in an initializer and precompile the assets. This work around will not be possible in all hosting environments and upgrading is advised.
Credit: support@hackerone.com support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rubygems/sprockets | >=4.0.0.beta1<=4.0.0.beta7 | 4.0.0.beta8 |
| rubygems/sprockets | >=3.0.0<3.7.2 | 3.7.2 |
| rubygems/sprockets | <2.12.5 | 2.12.5 |
| redhat/rubygem-sprockets | <4.0.0 | 4.0.0 |
| redhat/rubygem-sprockets | <3.7.2 | 3.7.2 |
| redhat/rubygem-sprockets | <2.12.5 | 2.12.5 |
| debian/ruby-sprockets | 3.7.2-1 3.7.2-4 | |
| Redhat Cloudforms | =4.5 | |
| Redhat Cloudforms | =4.6 | |
| Redhat Enterprise Linux | =6.0 | |
| Redhat Enterprise Linux | =6.7 | |
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =7.3 | |
| Redhat Enterprise Linux | =7.4 | |
| Redhat Enterprise Linux | =7.5 | |
| Redhat Enterprise Linux | =7.6 | |
| Sprockets Project Sprockets | >=2.0.0<=2.12.4 | |
| Sprockets Project Sprockets | >=3.0.0<=3.7.1 | |
| Sprockets Project Sprockets | =4.0.0-beta1 | |
| Sprockets Project Sprockets | =4.0.0-beta2 | |
| Sprockets Project Sprockets | =4.0.0-beta3 | |
| Sprockets Project Sprockets | =4.0.0-beta4 | |
| Sprockets Project Sprockets | =4.0.0-beta5 | |
| Sprockets Project Sprockets | =4.0.0-beta6 | |
| Sprockets Project Sprockets | =4.0.0-beta7 | |
| Debian Debian Linux | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2018/06/19/2
- https://security-tracker.debian.org/tracker/CVE-2018-3760
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901913
- https://nvd.nist.gov/vuln/detail/CVE-2018-3760
- https://access.redhat.com/errata/RHSA-2018:2244
- https://access.redhat.com/errata/RHSA-2018:2245
- https://access.redhat.com/errata/RHSA-2018:2561
- https://access.redhat.com/errata/RHSA-2018:2745
- https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ
- https://www.debian.org/security/2018/dsa-4242
- https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5
- https://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441
- https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5f
- https://github.com/advisories/GHSA-pr3h-jjhj-573x (Advisory)
- https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5fhttps://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5
- https://blog.heroku.com/rails-asset-pipeline-vulnerability
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1593059
- https://bugzilla.redhat.com/show_bug.cgi?id=1593058
- https://www.openwall.com/lists/oss-security/2018/06/19/2
Frequently Asked Questions
What is CVE-2018-3760?
CVE-2018-3760 is an information leak vulnerability in Sprockets that allows specially crafted requests to access files outside of an application's root directory.
Which versions of Sprockets are affected by CVE-2018-3760?
Versions 4.0.0.beta7 and lower 3.x versions of Sprockets are affected by CVE-2018-3760.
How severe is CVE-2018-3760?
CVE-2018-3760 has a severity rating of 7.5 (high).
What is the remedy for CVE-2018-3760?
Affected users should upgrade to version 4.0.0.beta8 or use one of the workarounds provided.
Where can I find more information about CVE-2018-3760?
More information about CVE-2018-3760 can be found at the following links: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2018-3760), [Red Hat Security Advisories](https://access.redhat.com/errata/RHSA-2018:2244,https://access.redhat.com/errata/RHSA-2018:2245).
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/debian-bugs
- alias/CVE-2018-3760
- collector/github-advisory
- alias/GHSA-pr3h-jjhj-573x
- collector/github-advisory-latest
- collector/nvd-cve
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/security-tracker-debian
- package-manager/rubygems
- vendor/redhat
- canonical/redhat cloudforms
- version/redhat cloudforms/4.5
- version/redhat cloudforms/4.6
- canonical/redhat enterprise linux
- version/redhat enterprise linux/6.0
- version/redhat enterprise linux/6.7
- version/redhat enterprise linux/7.0
- version/redhat enterprise linux/7.3
- version/redhat enterprise linux/7.4
- version/redhat enterprise linux/7.5
- version/redhat enterprise linux/7.6
- vendor/sprockets project
- canonical/sprockets project sprockets
- version/sprockets project sprockets/2.0.0
- version/sprockets project sprockets/2.12.4
- version/sprockets project sprockets/3.0.0
- version/sprockets project sprockets/3.7.1
- version/sprockets project sprockets/4.0.0-beta1
- version/sprockets project sprockets/4.0.0-beta2
- version/sprockets project sprockets/4.0.0-beta3
- version/sprockets project sprockets/4.0.0-beta4
- version/sprockets project sprockets/4.0.0-beta5
- version/sprockets project sprockets/4.0.0-beta6
- version/sprockets project sprockets/4.0.0-beta7
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- package-manager/redhat
- package-manager/debian