CVE-2019-5418 Information

Description

There is a File Content Disclosure vulnerability in Action View 5.2.2.1 5.1.6.2 5.0.7.2 4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system’s filesystem to be exposed.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html http://packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Content-Disclosure.html http://www.openwall.com/lists/oss-security/2019/03/22/1 https://access.redhat.com/errata/RHSA-2019:0796 https://access.redhat.com/errata/RHSA-2019:1147 https://access.redhat.com/errata/RHSA-2019:1149 https://access.redhat.com/errata/RHSA-2019:1289 https://groups.google.com/forum/!topic/rubyonrails-security/pFRKI96Sm8Q https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/ https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/ https://www.exploit-db.com/exploits/46585/

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

7.5