A file content disclosure vulnerability exists in Action View. Specially crafted accept headers in combination with calls to "render file:" can cause arbitrary files on the target server to be rendered, disclosing the file contents.

The impact is limited to calls to "render" which render file contents without a specified accept format. Impacted code in a controller looks something like this:

class UserController < ApplicationController 
  def index 
    render file: "#{Rails.root}/some/file" 
Rendering templates as opposed to files is not impacted by this vulnerability.


All users running an affected release should either upgrade or use one of the workarounds immediately.


Related Vulnerabilities