GHSA-pr3h-jjhj-573x

Source

https://github.com/advisories/GHSA-pr3h-jjhj-573x

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/06/GHSA-pr3h-jjhj-573x/GHSA-pr3h-jjhj-573x.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-pr3h-jjhj-573x

Aliases

CVE-2018-3760

Published

2018-06-20T22:18:58Z

Modified

2024-02-16T08:29:28.891397Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Sprockets path traversal leads to information leak

Details

Specially crafted requests can be used to access files that exist on the filesystem that is outside an application's root directory, when the Sprockets server is used in production.

All users running an affected release should either upgrade or use one of the work arounds immediately.

Workaround:

In Rails applications, work around this issue, set config.assets.compile = false and config.public_file_server.enabled = true in an initializer and precompile the assets.

This work around will not be possible in all hosting environments and upgrading is advised.

References

Affected packages

RubyGems / sprockets

Package

Name: sprockets
Purl: pkg:gem/sprockets

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.7.2

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.1.0

3.2.0

3.3.0

3.3.1

3.3.2

3.3.3

3.3.4

3.3.5

3.4.0

3.4.1

3.5.0

3.5.1

3.5.2

3.6.0

3.6.1

3.6.2

3.6.3

3.7.0

3.7.1

RubyGems / sprockets

Package

Name: sprockets
Purl: pkg:gem/sprockets

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0.beta1

Fixed

4.0.0.beta8

Affected versions

4.*

4.0.0.beta1

4.0.0.beta2

4.0.0.beta3

4.0.0.beta4

4.0.0.beta5

4.0.0.beta6

4.0.0.beta7

Database specific

{
    "last_known_affected_version_range": "<= 4.0.0.beta7"
}

RubyGems / sprockets

Package

Name: sprockets
Purl: pkg:gem/sprockets

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.12.5

Affected versions

0.*

0.9.0

0.9.1

1.*

1.0.0

1.0.1

1.0.2

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.1.0.beta

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.2.0.beta

2.2.0

2.2.1

2.2.2

2.2.3

2.3.0.beta

2.3.0

2.3.1

2.3.2

2.3.3

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.4.6

2.5.0

2.5.1

2.6.0

2.6.1

2.7.0

2.7.1

2.8.0

2.8.1

2.8.2

2.8.3

2.9.0

2.9.2

2.9.3

2.9.4

2.10.0

2.10.1

2.10.2

2.11.0

2.11.3

2.12.0

2.12.1

2.12.2

2.12.3

2.12.4