Trending CVEs for the Week of March 25th, 2019
CVE-2019-5418 – Ruby on Rails File Content Disclosure Vulnerability
This week’s trending vulnerability, CVE-2019-5418, is a file content disclosure vulnerability in Action View module of Ruby on Rails. Ruby on Rails is an open source web application framework that has been used to build hundreds of thousands of applications since its release in 2004, including some well-known ones such as GitHub, Shopify, Airbnb, Hulu and Zendesk.
The vulnerability was first announced on March 13th when new Rails 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, and 6.0.0.beta3 were released. It came along with two other vulnerabilities – CVE-2019-5419 – a denial of service vulnerability in Action View, and CVE-2019-5420 – a possible remote code execution exploit in Rails Development Mode.
Based on the original advisory in the Google Rails Security Group, specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents. The impact is limited to calls to `render` which render file contents without a specified accept format. Rendering templates as opposed to files is not impacted by this vulnerability.
Rails – all versions prior to 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, and 6.0.0.beta3 are affected.
Exploitation and Risk
The original advisory was amended on March 22nd, to reflect a possible remote code execution (RCE) since this vulnerability can possibly be used to read the Rails secrets file and those secrets can be used to escalate to a remote code execution exploit.
- The issue was fixed in versions 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, and 6.0.0.beta3, which were released on March 13th. All users running an affected release should upgrade to those versions.
- In cases where an immediate upgrade is not possible, the original advisory provides a couple of workarounds. One way to mitigate the vulnerability is to explicitly specify a format for file rendering. Another way is to apply the patches that were released as part of the advisory.
Share your thoughts in our community!