Sam Saffron

Name of the Vulnerable Software and Affected Versions: message bus versions prior to 3.3.7 Description: The issue is a path traversal bug that could lead to disclosure of secret information on a machine if an unintended user were to gain access to the diagnostic route. This bug affects deployments with diagnostics features enabled, which is default off. The impact is greater if there is no proxy for the web application, as the number of steps up the directories is not bounded. For deployments using a proxy, the impact varies. For example, if a request goes through a proxy like Nginx with `merge slashes` enabled, the number of steps up the directories that can be read is limited to 3 levels. Recommendations: For versions prior to 3.3.7, update to version 3.3.7 to resolve the issue. As a temporary workaround, consider disabling MessageBus::Diagnostics in production-like environments until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** rack-mini-profiler gem versions prior to 0.10.1 **Description** The issue allows remote attackers to obtain sensitive information about allocated strings and objects by leveraging incorrect ordering of security checks in the rack-mini-profiler gem for Ruby. **Recommendations** For versions prior to 0.10.1, update to version 0.10.1 or later to resolve the issue.