CVE-2016-0752

Name of the Vulnerable Software and Affected Versions Ruby on Rails versions prior to 3.2.22.1 Ruby on Rails versions 4.0.x through 4.1.14 Ruby on Rails versions 4.2.x through 4.2.5 Ruby on Rails versions 5.x through 5.0.0.beta1.1

Description The issue is related to a directory traversal vulnerability in the Action View component of Ruby on Rails. This vulnerability can be exploited by remote attackers to read arbitrary files by providing a .. (dot dot) in a pathname, leveraging an application's unrestricted use of the render method.

Recommendations For Ruby on Rails versions prior to 3.2.22.1, update to version 3.2.22.1 or later. For Ruby on Rails versions 4.0.x through 4.1.14, update to version 4.1.14.1 or later. For Ruby on Rails versions 4.2.x through 4.2.5, update to version 4.2.5.1 or later. For Ruby on Rails versions 5.x through 5.0.0.beta1.1, update to version 5.0.0.beta1.1 or later. As a temporary workaround, consider restricting the use of the render method to minimize the risk of exploitation.