Bug 1129272 (CVE-2019-5418)

Summary: VUL-0: CVE-2019-5418: rubygem-actionpack-4_2,rubygem-actionpack-5_1: possible file content disclosure
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: atoptsoglou, james.mason, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/226095/
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2019-03-14 15:33:02 UTC

Versions Affected:  All.
Not affected:       None.
Fixed Versions:     6.0.0.beta3,,,,

There is a possible file content disclosure vulnerability in Action View.
Specially crafted accept headers in combination with calls to `render file:`
can cause arbitrary files on the target server to be rendered, disclosing the
file contents.

The impact is limited to calls to `render` which render file contents without
a specified accept format.  Impacted code in a controller looks something like

class UserController < ApplicationController
  def index
    render file: "#{Rails.root}/some/file"

Rendering templates as opposed to files is not impacted by this vulnerability.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

The 6.0.0.beta3,,,, and releases are
available at the normal locations.

Comment 1 Robert Frohl 2019-03-14 16:07:06 UTC
tracking these codestreams as affected:
- SUSE:SLE-12:Update
- SUSE:SLE-15:Update
Comment 5 Swamp Workflow Management 2019-05-08 13:09:20 UTC
openSUSE-SU-2019:1344-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1129271,1129272
CVE References: CVE-2019-5418,CVE-2019-5419
Sources used:
openSUSE Leap 15.0 (src):    rubygem-actionpack-5_1-5.1.4-lp150.2.3.1
Comment 6 Alexandros Toptsoglou 2020-04-29 12:44:14 UTC