Home > Vulnerability Database > CVE-2016-0752

Mend.io Vulnerability Database

CVE-2016-0752

Good to know:

Date: February 15, 2016

Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname.

Language: Ruby

Severity Score

7.5

Related Resources (24)

Url: https://www.exploit-db.com/exploits/40561

Url: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-0752.yml

Url: http://www.securityfocus.com/bid/81801

Url: https://web.archive.org/web/20210723192420/http://www.securitytracker.com/id/1034816

Url: http://rhn.redhat.com/errata/RHSA-2016-0296.html

Url: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2016-0752.yml

Url: http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html

Url: http://www.debian.org/security/2016/dsa-3464

Url: https://web.archive.org/web/20210621170450/http://www.securityfocus.com/bid/81801

Url: http://www.securitytracker.com/id/1034816

Url: https://security-tracker.debian.org/tracker/CVE-2016-0752

Url: http://www.openwall.com/lists/oss-security/2016/01/25/13

Url: https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00

Url: https://web.archive.org/web/20210618005620/https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ

Url: http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178044.html

Url: https://github.com/advisories/GHSA-xrr4-p6fq-hjg7

Url: http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178069.html

Url: https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ

Url: https://nvd.nist.gov/vuln/detail/CVE-2016-0752

Url: http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html

Url: https://www.exploit-db.com/exploits/40561/

Url: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-0752

Url: http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html

Url: https://www.mend.io/vulnerability-database/CVE-2016-0752

Severity Score

7.5

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Top Fix

Upgrade Version

Upgrade to version actionview - 4.1.14.1;actionview - 4.2.5.1;actionpack - 4.1.14.1;actionpack - 4.2.5.1;actionpack - 3.2.22.1

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2016-0752

Good to know:

Date: February 15, 2016

Language: Ruby

Severity Score

Related Resources (24)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?