CVE-2019-5418

Name of the Vulnerable Software and Affected Versions Action View versions prior to 5.2.2.1 Action View versions prior to 5.1.6.2 Action View versions prior to 5.0.7.2 Action View versions prior to 4.2.11.1 Action View version 3

Description There is a File Content Disclosure issue in Action View where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed. This can be exploited by a remote attacker to read arbitrary files. The issue is related to errors in handling HTTP Accept headers when using the render file handler in the code. The impact is limited to calls to render that render file contents without a specified accept format.

Recommendations For Action View versions prior to 5.2.2.1, upgrade to version 5.2.2.1 or later. For Action View versions prior to 5.1.6.2, upgrade to version 5.1.6.2 or later. For Action View versions prior to 5.0.7.2, upgrade to version 5.0.7.2 or later. For Action View versions prior to 4.2.11.1, upgrade to version 4.2.11.1 or later. For Action View version 3, consider applying a monkey patch in an initializer to mitigate the issue, such as the formats filter.rb patch. As a temporary workaround, consider specifying a format for file rendering, like render file: "#{Rails.root}/some/file", formats: [:html].