CVE-2018-3760

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application's root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.

References

https://access.redhat.com/errata/RHSA-2018:2244

https://access.redhat.com/errata/RHSA-2018:2245

https://access.redhat.com/errata/RHSA-2018:2561

https://access.redhat.com/errata/RHSA-2018:2745

https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5fhttps://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5

https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ

https://www.debian.org/security/2018/dsa-4242

Details

Source: MITRE

Published: 2018-06-26

Updated: 2019-10-09

Type: CWE-200

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Impact Score: 3.6

Exploitability Score: 3.9

Severity: HIGH

Tenable Plugins

View all (7 total)

IDNameProductFamilySeverity
112718Rails Sprockets 2.x < 2.12.5 / 3.x < 3.7.2 / 4.x < 4.0.0.beta8 Path TraversalWeb Application ScanningComponent Vulnerability
high
123231openSUSE Security Update : rubygem-sprockets (openSUSE-2019-542)NessusSuSE Local Security Checks
high
120304Fedora 28 : rubygem-sprockets (2018-2735a12b72)NessusFedora Local Security Checks
high
111425openSUSE Security Update : rubygem-sprockets (openSUSE-2018-773)NessusSuSE Local Security Checks
high
111251Fedora 27 : rubygem-sprockets (2018-fd29597fa4)NessusFedora Local Security Checks
high
110968Debian DSA-4242-1 : ruby-sprockets - security updateNessusDebian Local Security Checks
high
110831openSUSE Security Update : rubygem-sprockets (openSUSE-2018-686)NessusSuSE Local Security Checks
high