Description

A file content disclosure vulnerability exists in Action View. Specially crafted accept headers in combination with calls to "render file:" can cause arbitrary files on the target server to be rendered, disclosing the file contents.

The impact is limited to calls to "render" which render file contents without a specified accept format. Impacted code in a controller looks something like this: 


class UserController < ApplicationController 
  def index 
    render file: "#{Rails.root}/some/file" 
  end 
end
Rendering templates as opposed to files is not impacted by this vulnerability.

Remediation

All users running an affected release should either upgrade or use one of the workarounds immediately.

References

[CVE-2019-5418] File Content Disclosure in Action View

Related Vulnerabilities

Test CGI script leaking environment variables

[Possible] Sublime SFTP Config File Detected

WordPress Plugin Backup Migration Information Disclosure (1.3.5)

WordPress Plugin Social Network Tabs Information Disclosure (1.7.1)

WordPress Plugin Backup Migration Arbitrary File Download (1.3.6)

Severity

High

Classification

CVE-2019-5418 CWE-200 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Information Disclosure