Bug 1593058 (CVE-2018-3760)
Summary: | CVE-2018-3760 rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | bcourt, bkabrda, bkearney, cbillett, cpelland, dajohnso, dclarizi, gblomqui, gmccullo, gtanzill, hhorak, hhudgeon, jaruga, jfrey, jhardy, jorton, jprause, kseifried, mmccune, mrike, obarenbo, ohadlevy, rchan, rjerrido, roliveri, ruby-maint, sfowler, simaishi, sisharma, strzibny, tjay, tomckay, vondruch |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | rubygem-sprockets 4.0.0beta8, rubygem-sprockets 3.7.2, rubygem-sprockets 2.12.5 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-09-26 00:24:14 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1593059, 1595901, 1595902, 1595903, 1595904, 1608601, 1608602 | ||
Bug Blocks: | 1593060 |
Description
Sam Fowler
2018-06-20 00:41:28 UTC
Created rubygem-sprockets tracking bugs for this issue: Affects: fedora-all [bug 1593059] Red Hat Ceph Storage 1.3 shipped ruby193-rubygem-sprockets as dependency for rhcs-installer in tech preview. It is not used as server and it is not essential for working of ceph cluster. I was able to reproduce this and traverse to any file. This seems to be reproducible by default on development and testing setups of rails server. For production, this requires that "config.assets.compile" in production.rb be set to true, which does not appear to be a default value. Mitigation: Ensure config.assets.compile = false in production.rb. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Via RHSA-2018:2245 https://access.redhat.com/errata/RHSA-2018:2245 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Via RHSA-2018:2244 https://access.redhat.com/errata/RHSA-2018:2244 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Via RHSA-2018:2244 https://access.redhat.com/errata/RHSA-2018:2244 This issue has been addressed in the following products: CloudForms Management Engine 5.9 Via RHSA-2018:2561 https://access.redhat.com/errata/RHSA-2018:2561 This issue has been addressed in the following products: CloudForms Management Engine 5.8 Via RHSA-2018:2745 https://access.redhat.com/errata/RHSA-2018:2745 |