Description

The Ruby on Rails application is running in development mode, which is insecure and leaks a lot of sensitive information about the application internals. Rails creates three environments: development, production, and test, upon application generation. The development mode enables extra debugging behaviors, beneficial to both developers and attackers. An attacker can obtain information such as Middleware, Application root, which might help an attacker gain more information, and potentially focus on the development of further attacks to the target system.

Remediation

Configure the Rails application to run in production mode using the following command: rails server -e production.

References

Rails Environments

Related Vulnerabilities

WordPress Plugin Doneren met Mollie Information Disclosure (2.8.4)

Error page path disclosure

Unrestricted access to Kong Gateway API

Pentaho API Auth bypass (CVE-2021-31602)

Microsoft IIS5 NTLM and Basic authentication bypass

Severity

Medium

Classification

CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Tags

Configuration Information Disclosure