CVE-2016-0752
KEV
🔴 Łataj teraz
Luka w Ruby on Rails umożliwia zdalnym atakującym odczyt dowolnych plików.
CVSS
7.5
EPSS
91.0%
Exploit
weaponized
Vendor
rubyonrails
Opis źródłowy (NVD)
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname.
exploit path-traversal
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 7.5 |
| CISA KEV (aktywnie wykorzystywane) | Tak |
| FIRST EPSS (prawdopodobieństwo exploita) | 91.0% |
| Opublikowano (NVD) | 2016-02-16 02:59:06 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-22 14:36:55 UTC |
Referencje
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178044.html (secalert@redhat.com) [Permissions Required]
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178069.html (secalert@redhat.com) [Permissions Required]
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html (secalert@redhat.com) [Mailing List, Third Party Advisory]
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html (secalert@redhat.com) [Mailing List, Third Party Advisory]
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html (secalert@redhat.com) [Mailing List, Third Party Advisory]
- http://rhn.redhat.com/errata/RHSA-2016-0296.html (secalert@redhat.com) [Third Party Advisory]
- http://www.debian.org/security/2016/dsa-3464 (secalert@redhat.com) [Mailing List, Third Party Advisory]
- http://www.openwall.com/lists/oss-security/2016/01/25/13 (secalert@redhat.com) [Exploit, Mailing List]
- http://www.securityfocus.com/bid/81801 (secalert@redhat.com) [Broken Link, Third Party Advisory, VDB Entry]
- http://www.securitytracker.com/id/1034816 (secalert@redhat.com) [Broken Link, Third Party Advisory, VDB Entry]
- https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ (secalert@redhat.com) [Broken Link]
- https://www.exploit-db.com/exploits/40561/ (secalert@redhat.com) [Exploit, Third Party Advisory, VDB Entry]
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-0752 (134c704f-9b21-4f2e-91b3-4a467353bcc0) [US Government Resource]