Bugzilla – Bug 968850
VUL-0: CVE-2016-2097: rubygem-actionview: Possible Information Leak Vulnerability in Action View.
Last modified: 2022-12-08 17:27:06 UTC
Possible Information Leak Vulnerability in Action View. There is a possible directory traversal and information leak vulnerability in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2 patch was not covering all the scenarios. This vulnerability has been assigned the CVE identifier CVE-2016-2097. Versions Affected: 3.2.x, 4.0.x, 4.1.x Not affected: 4.2+ Fixed Versions: 3.2.22.2, 4.1.14.2 Impact ------ Applications that pass unverified user input to the `render` method in a controller may be vulnerable to an information leak vulnerability. Impacted code will look something like this: ```ruby def index render params[:id] end ``` Carefully crafted requests can cause the above code to render files from unexpected places like outside the application's view directory, and can possibly escalate this to a remote code execution attack. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- A workaround to this issue is to not pass arbitrary user input to the `render` method. Instead, verify that data before passing it to the `render` method. For example, change this: ```ruby def index render params[:id] end ``` To this: ```ruby def index render verify_template(params[:id]) end private def verify_template(name) # add verification logic particular to your application here end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for it. It is in git-am format and consist of a single changeset. * 3-2-render_data_leak_2.patch - Patch for 3.2 series * 4-1-render_data_leak_2.patch - Patch for 4.1 series Credits ------- Thanks to both Jyoti Singh and Tobias Kraze from makandra for reporting this and working with us in the patch! Patches ------- http://seclists.org/oss-sec/2016/q1/att-463/4-1-render_data_leak_2.patch http://seclists.org/oss-sec/2016/q1/att-463/3-2-render_data_leak_2.patch CVE-2016-2097 was assigned to this issue. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2097 http://seclists.org/oss-sec/2016/q1/463
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (968850) was mentioned in https://build.opensuse.org/request/show/369381 13.2 / rubygem-actionpack-3_2
openSUSE-SU-2016:0835-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 968849,968850 CVE References: CVE-2016-2097,CVE-2016-2098 Sources used: openSUSE 13.2 (src): rubygem-actionpack-3_2-3.2.17-3.10.1
SUSE-SU-2016:0854-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 968849,968850 CVE References: CVE-2016-2097,CVE-2016-2098 Sources used: SUSE OpenStack Cloud 5 (src): rubygem-actionview-4_1-4.1.9-12.1
released
SUSE-SU-2016:0967-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 968849,968850 CVE References: CVE-2016-2097,CVE-2016-2098 Sources used: SUSE Webyast 1.3 (src): rubygem-actionpack-3_2-3.2.12-0.26.1 SUSE Studio Onsite 1.3 (src): rubygem-actionpack-3_2-3.2.12-0.26.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): rubygem-actionpack-3_2-3.2.12-0.26.1 SUSE Lifecycle Management Server 1.3 (src): rubygem-actionpack-3_2-3.2.12-0.26.1
SUSE-SU-2022:15116-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1185715,968850 CVE References: CVE-2016-2097,CVE-2021-22885 JIRA References: Sources used: SUSE Webyast 1.3 (src): rubygem-actionpack-3_2-3.2.12-0.27.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.