First published: Wed Mar 13 2019(Updated: )
# File Content Disclosure in Action View Impact ------ There is a possible file content disclosure vulnerability in Action View. Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents. The impact is limited to calls to `render` which render file contents without a specified accept format. Impacted code in a controller looks something like this: ``` ruby class UserController < ApplicationController def index render file: "#{Rails.root}/some/file" end end ``` Rendering templates as opposed to files is not impacted by this vulnerability. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are available at the normal locations. Workarounds ----------- This vulnerability can be mitigated by specifying a format for file rendering, like this: ``` ruby class UserController < ApplicationController def index render file: "#{Rails.root}/some/file", formats: [:html] end end ``` In summary, impacted calls to `render` look like this: ``` render file: "#{Rails.root}/some/file" ``` The vulnerability can be mitigated by changing to this: ``` render file: "#{Rails.root}/some/file", formats: [:html] ``` Other calls to `render` are not impacted. Alternatively, the following monkey patch can be applied in an initializer: ``` ruby $ cat config/initializers/formats_filter.rb # frozen_string_literal: true ActionDispatch::Request.prepend(Module.new do def formats super().select do |format| format.symbol || format.ref == "*/*" end end end) ``` Credits ------- Thanks to John Hawthorn <john@hawthorn.email> of GitHub
Credit: support@hackerone.com support@hackerone.com support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
rubygems/actionview | >=4.0.0<=4.2.11.0 | 4.2.11.1 |
rubygems/actionview | >=5.2.0<=5.2.2.0 | 5.2.2.1 |
rubygems/actionview | >=5.0.0<=5.0.7.1 | 5.0.7.2 |
rubygems/actionview | >=5.1.0<=5.1.6.1 | 5.1.6.2 |
Rubyonrails Rails | >=3.0.0<4.2.11.1 | |
Rubyonrails Rails | >=5.0.0<5.0.7.2 | |
Rubyonrails Rails | >=5.1.0<5.1.6.2 | |
Rubyonrails Rails | >=5.2.0<5.2.2.1 | |
Debian Debian Linux | =8.0 | |
Redhat Cloudforms | =4.7 | |
openSUSE Leap | =15.0 | |
Fedoraproject Fedora | =30 | |
Redhat Cloudforms | =4.6 | |
Redhat Software Collections | =1.0 | |
redhat/rubygem-actionview | <6.0.0. | 6.0.0. |
redhat/rubygem-actionview | <5.2.2.1 | 5.2.2.1 |
redhat/rubygem-actionview | <5.1.6.2 | 5.1.6.2 |
redhat/rubygem-actionview | <5.0.7.2 | 5.0.7.2 |
redhat/rubygem-actionview | <4.2.11.1 | 4.2.11.1 |
>=3.0.0<4.2.11.1 | ||
>=5.0.0<5.0.7.2 | ||
>=5.1.0<5.1.6.2 | ||
>=5.2.0<5.2.2.1 | ||
=8.0 | ||
=4.7 | ||
=15.0 | ||
=30 | ||
=4.6 | ||
=1.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-5418 is a File Content Disclosure vulnerability in Action View.
CVE-2019-5418 can cause arbitrary files on the target server to be rendered, disclosing their content.
CVE-2019-5418 has a severity rating of 7.5 (High).
Action View versions <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 are affected by CVE-2019-5418.
To fix CVE-2019-5418, update Action View to versions 5.2.2.1, 5.1.6.2, 5.0.7.2, or 4.2.11.1.