CVE-2016-0752
Directory traversal vulnerability in Action View in Ruby on Rails
7.5
HIGH
CVSS 3.1
⚠ KEVEPSS 90.5%
Description
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname.
How to fix CVE-2016-0752
To remediate CVE-2016-0752, upgrade the affected package to a fixed version below.
- —upgrade to 2:4.2.5.1-1 or later
- —upgrade to 4.1.14.1 or later
- —upgrade to 4.1.14.1 or later
Is CVE-2016-0752 being exploited?
Yes — CVE-2016-0752 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.
Affected packages (3)
- from 0, < 2:4.2.5.1-1
- >= 4.0.0, < 4.1.14.1
- >= 4.0.0, < 4.1.14.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H |