CVE-2018-3760

Impact:
Important
Public Date:
2018-06-20
CWE:
CWE-22
Bugzilla:
1593058: CVE-2018-3760 rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files

The MITRE CVE dictionary describes this issue as:

There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application's root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.

Find out more about CVE-2018-3760 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 7.5
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact None
Availability Impact None

Red Hat Security Errata

Platform Errata Release Date
CloudForms Management Engine 5.8 RHSA-2018:2745 2018-09-26
Red Hat Software Collections for Red Hat Enterprise Linux 6 (rh-ror42-rubygem-sprockets) RHSA-2018:2244 2018-07-24
Red Hat Software Collections for Red Hat Enterprise Linux 6 (rh-ror50-rubygem-sprockets) RHSA-2018:2245 2018-07-24
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-ror50-rubygem-sprockets) RHSA-2018:2245 2018-07-24
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-ror42-rubygem-sprockets) RHSA-2018:2244 2018-07-24
CloudForms Management Engine 5.9 RHSA-2018:2561 2018-09-04

Affected Packages State

Platform Package State
Red Hat Subscription Asset Manager 1 ruby193-rubygem-sprockets Will not fix
Red Hat Satellite 6 ruby193-rubygem-sprockets Not affected
Red Hat Ceph Storage 1.3 ruby193-rubygem-sprockets Will not fix

Mitigation

Ensure config.assets.compile = false in production.rb.

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation