Description

A file content disclosure vulnerability exists in Action View. Specially crafted accept headers in combination with calls to "render file:" can cause arbitrary files on the target server to be rendered, disclosing the file contents.

The impact is limited to calls to "render" which render file contents without a specified accept format. Impacted code in a controller looks something like this: 


class UserController < ApplicationController 
  def index 
    render file: "#{Rails.root}/some/file" 
  end 
end
Rendering templates as opposed to files is not impacted by this vulnerability.

Remediation

All users running an affected release should either upgrade or use one of the workarounds immediately.

References

[CVE-2019-5418] File Content Disclosure in Action View

Related Vulnerabilities

Apache Axis2 information disclosure

WordPress 3.8.x Multiple Vulnerabilities (3.8 - 3.8.27)

WordPress Plugin AccessAlly Information Disclosure (3.5.6)

VMware vCenter Log4Shell RCE

WordPress Plugin Credova_Financial Information Disclosure (1.4.8)

Severity

High

Classification

CVE-2019-5418 CWE-200 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Information Disclosure