rubygem-sprockets before versions 2.12.5, 3.7.2 and 4.0.0beta8 are vulnerable to a path traversal flaw in the sprockets/server.rb:forbidden_request?() function. A remote attacker could exploit this to read arbitrary files from the Sprockets server. External References: http://www.openwall.com/lists/oss-security/2018/06/19/2 https://blog.heroku.com/rails-asset-pipeline-vulnerability Upstream Patch: https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5f
Created rubygem-sprockets tracking bugs for this issue: Affects: fedora-all [bug 1593059]
Red Hat Ceph Storage 1.3 shipped ruby193-rubygem-sprockets as dependency for rhcs-installer in tech preview. It is not used as server and it is not essential for working of ceph cluster.
I was able to reproduce this and traverse to any file. This seems to be reproducible by default on development and testing setups of rails server. For production, this requires that "config.assets.compile" in production.rb be set to true, which does not appear to be a default value.
Mitigation: Ensure config.assets.compile = false in production.rb.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Via RHSA-2018:2245 https://access.redhat.com/errata/RHSA-2018:2245
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Via RHSA-2018:2244 https://access.redhat.com/errata/RHSA-2018:2244
This issue has been addressed in the following products: CloudForms Management Engine 5.9 Via RHSA-2018:2561 https://access.redhat.com/errata/RHSA-2018:2561
This issue has been addressed in the following products: CloudForms Management Engine 5.8 Via RHSA-2018:2745 https://access.redhat.com/errata/RHSA-2018:2745