Home > Vulnerability Database > CVE-2018-3760

Mend.io Vulnerability Database

CVE-2018-3760

Good to know:

Date: June 26, 2018

There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application's root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.

Language: Ruby

Severity Score

7.5

Related Resources (13)

Url: https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ

Url: https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5

Url: https://access.redhat.com/errata/RHSA-2018:2745

Url: https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5f

Url: https://github.com/rails/sprockets

Url: https://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441

Url: https://access.redhat.com/errata/RHSA-2018:2245

Url: https://www.debian.org/security/2018/dsa-4242

Url: https://access.redhat.com/errata/RHSA-2018:2244

Url: https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5fhttps://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5

Url: https://nvd.nist.gov/vuln/detail/CVE-2018-3760

Url: https://access.redhat.com/errata/RHSA-2018:2561

Url: https://www.mend.io/vulnerability-database/CVE-2018-3760

Severity Score

7.5

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Top Fix

Upgrade Version

Upgrade to version sprockets - 3.7.2;sprockets - 2.12.5;sprockets - 4.0.0.beta8

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2018-3760

Good to know:

Date: June 26, 2018

Language: Ruby

Severity Score

Related Resources (13)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?