Trending CVEs for the Week of March 25th, 2019

CVE-2019-5418 – Ruby on Rails File Content Disclosure Vulnerability

Description

This week’s trending vulnerability, CVE-2019-5418, is a file content disclosure vulnerability in Action View module of Ruby on Rails. Ruby on Rails is an open source web application framework that has been used to build hundreds of thousands of applications since its release in 2004, including some well-known ones such as GitHub, Shopify, Airbnb, Hulu and Zendesk.

The vulnerability was first announced on March 13th when new Rails 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2.1, and 6.0.0.beta3 were released.  It came along with two other vulnerabilities – CVE-2019-5419 – a denial of service vulnerability in Action View, and CVE-2019-5420 – a possible remote code execution exploit in Rails Development Mode.

Based on the original advisory in the Google Rails Security Group, specially crafted accept headers in combination with calls to `render file:`  can cause arbitrary files on the target server to be rendered, disclosing the file contents. The impact is limited to calls to `render` which render file contents without a specified accept format. Rendering templates as opposed to files is not impacted by this vulnerability.

Affected Products

Rails – all versions prior to 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2.1, and 6.0.0.beta3 are affected.

Exploitation and Risk

The original advisory was amended on March 22nd,  to reflect a possible remote code execution (RCE) since this vulnerability can possibly be used to read the Rails secrets file and those secrets can be used to escalate to a remote code execution exploit.

Proof of concept (PoC) exploit is available on Github. PoC for the RCE is also available on Github.

Fixes

  • The issue was fixed in versions 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2.1, and 6.0.0.beta3, which were released on March 13th. All users running an affected release should upgrade to those versions.
  • In cases where an immediate upgrade is not possible, the original advisory provides a couple of workarounds. One way to mitigate the vulnerability is to explicitly specify a format for file rendering. Another way is to apply the patches that were released as part of the advisory.

References

Ruby on Rails Upgrades

Ruby on Rails Advisory for CVE-2019-5418

Amended Ruby on Rails Advisory for CVE-2019-5418

PoC Exploit for CVE-2019-5418

Share your thoughts in our community!

Click Here