#VU13592 Information disclosure in Sprockets


Published: 2018-07-05

Vulnerability identifier: #VU13592

Vulnerability risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-3760

CWE-ID: CWE-200

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Sprockets
Universal components / Libraries / Software for developers

Vendor: Rails

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to an error that allows to access files outside an application's root directory. A local user can gain unauthorized access to sensitive information on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Sprockets: 2.12.0 - 4.0.0.beta7

External links
http://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5f
http://github.com...
http://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


OpenSUSE Linux update for rubygem-sprockets
Debian update for ruby-sprockets
Information disclosure in Sprockets
OpenSUSE Linux update for rubygem-sprockets