Ruby on Rails File Content Disclosure (CVE-2019-5418)

Severity: High

Summary#

Invicti identified a Ruby on Rails File Content Disclosure (CVE-2019-5418).

Impact#

An attacker can read arbitrary files stored on your web server by crafting a malicious Accept header and sending it to your application. These files can contain sensitive data such as passwords, source code or encryption keys.

Additionally attackers may use the gathered data to get access to your web server or applications.

Remediation#

We suggest that you update Ruby on Rails to a version > 5.2.1 in order to fix this vulnerability.

Classifications#

ISO27001-A.14.2.5, PCI v3.2-6.5.8, OWASP 2017-A5, HIPAA-164.306(a), CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N, CAPEC-252, CWE-98, WASC-33, OWASP 2013-A4

Ruby on Rails File Content Disclosure (CVE-2019-5418)

Related Articles

Build your resistance to threats. And save hundreds of hours each month.