Trending CVEs for the Week of March 25th, 2019
- Mar 27, 2019
- Shawn Evans
This week’s trending vulnerability, CVE-2019-5418, is a file content disclosure vulnerability in Action View module of Ruby on Rails. Ruby on Rails is an open source web application framework that has been used to build hundreds of thousands of applications since its release in 2004, including some well-known ones such as GitHub, Shopify, Airbnb, Hulu and Zendesk.
The vulnerability was first announced on March 13th when new Rails 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2.1, and 6.0.0.beta3 were released. It came along with two other vulnerabilities – CVE-2019-5419 – a denial of service vulnerability in Action View, and CVE-2019-5420 – a possible remote code execution exploit in Rails Development Mode.
Based on the original advisory in the Google Rails Security Group, specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents. The impact is limited to calls to `render` which render file contents without a specified accept format. Rendering templates as opposed to files is not impacted by this vulnerability.
Rails – all versions prior to 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2.1, and 6.0.0.beta3 are affected.
The original advisory was amended on March 22nd, to reflect a possible remote code execution (RCE) since this vulnerability can possibly be used to read the Rails secrets file and those secrets can be used to escalate to a remote code execution exploit.
Proof of concept (PoC) exploit is available on Github. PoC for the RCE is also available on Github.
Ruby on Rails Advisory for CVE-2019-5418
Amended Ruby on Rails Advisory for CVE-2019-5418
Share your thoughts in our community!