cnvd-2019-07446
Vulnerability from cnvd
Title
Ruby on Rails任意文件读取漏洞
Description
Ruby on Rails是一套使用Ruby开发的,非常有生产力、维护性高、容易布署的 Web 开发框架,是全世界 Web 应用程式开发的首选框架之一。 Ruby on Rails存在任意文件读取漏洞,漏洞源于使用render渲染文件内容却未能指定接受格式,攻击者可利用该漏洞渲染服务器上的任意文件,造成文件内容泄漏。
Severity
Patch Name
Ruby on Rails任意文件读取漏洞的补丁
Patch Description
Ruby on Rails是一套使用Ruby开发的,非常有生产力、维护性高、容易布署的 Web 开发框架,是全世界 Web 应用程式开发的首选框架之一。 Ruby on Rails存在任意文件读取漏洞,漏洞源于使用render渲染文件内容却未能指定接受格式,攻击者可利用该漏洞渲染服务器上的任意文件,造成文件内容泄漏。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description

厂商已发布了漏洞修复程序,请及时关注更新: https://rubyonrails.org/

Reference
https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q https://github.com/rails/rails/commit/f4c70c2222180b8d9d924f00af0c7fd632e267 https://www.seebug.org/vuldb/ssvid-97864
Impacted products
Name
['Ruby on Rails Ruby on Rails <6.0.0.beta3', 'Ruby on Rails Ruby on Rails <5.2.2.1', 'Ruby on Rails Ruby on Rails <5.1.6.2', 'Ruby on Rails Ruby on Rails <5.0.7.2', 'Ruby on Rails Ruby on Rails <4.2.11.1']
Show details on source website

To clipboard 

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-5418"
    }
  },
  "description": "Ruby on Rails\u662f\u4e00\u5957\u4f7f\u7528Ruby\u5f00\u53d1\u7684\uff0c\u975e\u5e38\u6709\u751f\u4ea7\u529b\u3001\u7ef4\u62a4\u6027\u9ad8\u3001\u5bb9\u6613\u5e03\u7f72\u7684\nWeb \u5f00\u53d1\u6846\u67b6\uff0c\u662f\u5168\u4e16\u754c Web \u5e94\u7528\u7a0b\u5f0f\u5f00\u53d1\u7684\u9996\u9009\u6846\u67b6\u4e4b\u4e00\u3002\n\nRuby on Rails\u5b58\u5728\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e\uff0c\u6f0f\u6d1e\u6e90\u4e8e\u4f7f\u7528render\u6e32\u67d3\u6587\u4ef6\u5185\u5bb9\u5374\u672a\u80fd\u6307\u5b9a\u63a5\u53d7\u683c\u5f0f\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6e32\u67d3\u670d\u52a1\u5668\u4e0a\u7684\u4efb\u610f\u6587\u4ef6\uff0c\u9020\u6210\u6587\u4ef6\u5185\u5bb9\u6cc4\u6f0f\u3002",
  "discovererName": "Aaron Patterson",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://rubyonrails.org/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-07446",
  "openTime": "2019-03-19",
  "patchDescription": "Ruby on Rails\u662f\u4e00\u5957\u4f7f\u7528Ruby\u5f00\u53d1\u7684\uff0c\u975e\u5e38\u6709\u751f\u4ea7\u529b\u3001\u7ef4\u62a4\u6027\u9ad8\u3001\u5bb9\u6613\u5e03\u7f72\u7684\r\nWeb \u5f00\u53d1\u6846\u67b6\uff0c\u662f\u5168\u4e16\u754c Web \u5e94\u7528\u7a0b\u5f0f\u5f00\u53d1\u7684\u9996\u9009\u6846\u67b6\u4e4b\u4e00\u3002\r\n\r\nRuby on Rails\u5b58\u5728\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e\uff0c\u6f0f\u6d1e\u6e90\u4e8e\u4f7f\u7528render\u6e32\u67d3\u6587\u4ef6\u5185\u5bb9\u5374\u672a\u80fd\u6307\u5b9a\u63a5\u53d7\u683c\u5f0f\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6e32\u67d3\u670d\u52a1\u5668\u4e0a\u7684\u4efb\u610f\u6587\u4ef6\uff0c\u9020\u6210\u6587\u4ef6\u5185\u5bb9\u6cc4\u6f0f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Ruby on Rails\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Ruby on Rails Ruby on Rails \u003c6.0.0.beta3",
      "Ruby on Rails Ruby on Rails \u003c5.2.2.1",
      "Ruby on Rails Ruby on Rails \u003c5.1.6.2",
      "Ruby on Rails Ruby on Rails \u003c5.0.7.2",
      "Ruby on Rails Ruby on Rails \u003c4.2.11.1"
    ]
  },
  "referenceLink": "https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q\r\nhttps://github.com/rails/rails/commit/f4c70c2222180b8d9d924f00af0c7fd632e267\r\nhttps://www.seebug.org/vuldb/ssvid-97864",
  "serverity": "\u4e2d",
  "submitTime": "2019-03-19",
  "title": "Ruby on Rails\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.