NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge

Trending CVEs for the Week of March 25th, 2019

Why IAM Technology is Critical to Your Vulnerability Management Program

CVE-2019-5418 – Ruby on Rails File Content Disclosure Vulnerability

Description

This week’s trending vulnerability, CVE-2019-5418, is a file content disclosure vulnerability in Action View module of Ruby on Rails. Ruby on Rails is an open source web application framework that has been used to build hundreds of thousands of applications since its release in 2004, including some well-known ones such as GitHub, Shopify, Airbnb, Hulu and Zendesk.

The vulnerability was first announced on March 13th when new Rails 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2.1, and 6.0.0.beta3 were released.  It came along with two other vulnerabilities – CVE-2019-5419 – a denial of service vulnerability in Action View, and CVE-2019-5420 – a possible remote code execution exploit in Rails Development Mode.

Based on the original advisory in the Google Rails Security Group, specially crafted accept headers in combination with calls to `render file:`  can cause arbitrary files on the target server to be rendered, disclosing the file contents. The impact is limited to calls to `render` which render file contents without a specified accept format. Rendering templates as opposed to files is not impacted by this vulnerability.

Affected Products

Rails – all versions prior to 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2.1, and 6.0.0.beta3 are affected.

Exploitation and Risk

The original advisory was amended on March 22nd,  to reflect a possible remote code execution (RCE) since this vulnerability can possibly be used to read the Rails secrets file and those secrets can be used to escalate to a remote code execution exploit.

Proof of concept (PoC) exploit is available on Github. PoC for the RCE is also available on Github.

Fixes

  • The issue was fixed in versions 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2.1, and 6.0.0.beta3, which were released on March 13th. All users running an affected release should upgrade to those versions.
  • In cases where an immediate upgrade is not possible, the original advisory provides a couple of workarounds. One way to mitigate the vulnerability is to explicitly specify a format for file rendering. Another way is to apply the patches that were released as part of the advisory.

References

Ruby on Rails Upgrades

Ruby on Rails Advisory for CVE-2019-5418

Amended Ruby on Rails Advisory for CVE-2019-5418

PoC Exploit for CVE-2019-5418

Share your thoughts in our community!

Click Here

Schedule a Product Demo Today!

See how NopSec's security insights and cyber threat exposure management platform can organize your security chaos.