Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-3760

There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application's root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.

Published

2018-06-26T19:29:00.343

Last Modified

2024-11-21T04:06:01.503

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-22
Type: Primary
CWE-200

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	redhat	cloudforms	4.5	Yes
Application	redhat	cloudforms	4.6	Yes
Operating System	redhat	enterprise_linux	6.0	Yes
Operating System	redhat	enterprise_linux	6.7	Yes
Operating System	redhat	enterprise_linux	7.0	Yes
Operating System	redhat	enterprise_linux	7.3	Yes
Operating System	redhat	enterprise_linux	7.4	Yes
Operating System	redhat	enterprise_linux	7.5	Yes
Operating System	redhat	enterprise_linux	7.6	Yes
Application	sprockets_project	sprockets	≤ 2.12.4	Yes
Application	sprockets_project	sprockets	≤ 3.7.1	Yes
Application	sprockets_project	sprockets	4.0.0	Yes
Application	sprockets_project	sprockets	4.0.0	Yes
Application	sprockets_project	sprockets	4.0.0	Yes
Application	sprockets_project	sprockets	4.0.0	Yes
Application	sprockets_project	sprockets	4.0.0	Yes
Application	sprockets_project	sprockets	4.0.0	Yes
Application	sprockets_project	sprockets	4.0.0	Yes
Operating System	debian	debian_linux	9.0	Yes

References

https://access.redhat.com/errata/RHSA-2018:2244 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:2245 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:2561 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:2745 Third Party Advisory ([email protected])
https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5fhttps://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5 Broken Link ([email protected])
https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ Patch, Third Party Advisory ([email protected])
https://www.debian.org/security/2018/dsa-4242 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:2244 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:2245 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:2561 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:2745 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5fhttps://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2018/dsa-4242 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)