CVE-2016-0752
critical-risk
Published 2016-02-16
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname.
Do I need to act?
!
91.1% chance of exploitation in next 30 days
EPSS score — higher than 9% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
!
1 public exploit available
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (7)
Affected Vendors
References (25)
Permissions Required
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178044.h...
Permissions Required
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178069.h...
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-0296.html
Mailing List
http://www.debian.org/security/2016/dsa-3464
Broken Link
http://www.securityfocus.com/bid/81801
Broken Link
http://www.securitytracker.com/id/1034816
Permissions Required
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178044.h...
Permissions Required
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178069.h...
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-0296.html
Mailing List
http://www.debian.org/security/2016/dsa-3464
and 5 more references
74
/ 100
critical-risk
Severity
26/34 · High
Exploitability
34/34 · Critical
Exposure
14/34 · Moderate