The Wicked gem prior to v1.0.1 allows a remote attacker to traverse directories on the system via a vulnerability in controller/concerns/render_redirect.rb
. An attacker can send a specially-crafted URL request containing %2E%2E%2F
directory traversal sequences to read arbitrary files on the system.