Bug 1129272 (CVE-2019-5418)

Summary: VUL-0: CVE-2019-5418: rubygem-actionpack-4_2,rubygem-actionpack-5_1: possible file content disclosure
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: atoptsoglou, james.mason, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/226095/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2019-03-14 15:33:02 UTC
CVE-2019-5418

Versions Affected:  All.
Not affected:       None.
Fixed Versions:     6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1

Impact
------
There is a possible file content disclosure vulnerability in Action View.
Specially crafted accept headers in combination with calls to `render file:`
can cause arbitrary files on the target server to be rendered, disclosing the
file contents.

The impact is limited to calls to `render` which render file contents without
a specified accept format.  Impacted code in a controller looks something like
this:

```
class UserController < ApplicationController
  def index
    render file: "#{Rails.root}/some/file"
  end
end
```

Rendering templates as opposed to files is not impacted by this vulnerability.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases
--------
The 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are
available at the normal locations.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5418
http://seclists.org/oss-sec/2019/q1/178
Comment 1 Robert Frohl 2019-03-14 16:07:06 UTC
tracking these codestreams as affected:
- SUSE:SLE-12:Update
- SUSE:SLE-15:Update
Comment 5 Swamp Workflow Management 2019-05-08 13:09:20 UTC
openSUSE-SU-2019:1344-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1129271,1129272
CVE References: CVE-2019-5418,CVE-2019-5419
Sources used:
openSUSE Leap 15.0 (src):    rubygem-actionpack-5_1-5.1.4-lp150.2.3.1
Comment 6 Alexandros Toptsoglou 2020-04-29 12:44:14 UTC
Done