Description

All previously released versions of Sprockets (4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower), the software that powers the Rails asset pipeline, contain a directory traversal vulnerability.

Remediation

All users running an affected release should either upgrade or use one of the work arounds immediately.

References

Rails Asset Pipeline Directory Traversal Vulnerability (CVE-2018-3760)

Do not respond to http requests asking for a `file://`

CVE-2018-3760] Path Traversal in Sprockets

Related Vulnerabilities

WordPress Plugin Import CSV Directory Traversal (1.0)

WordPress Plugin Tinymce Thumbnail Gallery 'href' Parameter Information Disclosure (1.0.7)

WordPress Plugin WP Post Popup Directory Traversal (2.0)

WordPress Plugin Simple Backup Multiple Vulnerabilities (2.7.11)

WordPress Plugin WP AmASIN-The Amazon Affiliate Shop Directory Traversal (0.9.6)

Severity

High

Classification

CVE-2018-3760 CWE-22 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Directory Traversal