Bug 1593058 (CVE-2018-3760) - CVE-2018-3760 rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files
Summary: CVE-2018-3760 rubygem-sprockets: Path traversal in forbidden_request?() can a...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-3760
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1593059 1595901 1595902 1595903 1595904 1608601 1608602
Blocks: 1593060
TreeView+ depends on / blocked
 
Reported: 2018-06-20 00:41 UTC by Sam Fowler
Modified: 2021-02-17 00:06 UTC (History)
33 users (show)

Fixed In Version: rubygem-sprockets 4.0.0beta8, rubygem-sprockets 3.7.2, rubygem-sprockets 2.12.5
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-09-26 00:24:14 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2244 0 None None None 2018-07-24 07:46:56 UTC
Red Hat Product Errata RHSA-2018:2245 0 None None None 2018-07-24 07:45:47 UTC
Red Hat Product Errata RHSA-2018:2561 0 None None None 2018-09-04 18:00:38 UTC
Red Hat Product Errata RHSA-2018:2745 0 None None None 2018-09-26 18:36:43 UTC

Description Sam Fowler 2018-06-20 00:41:28 UTC 
rubygem-sprockets before versions 2.12.5, 3.7.2 and 4.0.0beta8 are vulnerable to a path traversal flaw in the sprockets/server.rb:forbidden_request?() function. A remote attacker could exploit this to read arbitrary files from the Sprockets server.


External References:

http://www.openwall.com/lists/oss-security/2018/06/19/2
https://blog.heroku.com/rails-asset-pipeline-vulnerability


Upstream Patch:

https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5f
Comment 1 Sam Fowler 2018-06-20 00:42:09 UTC 
Created rubygem-sprockets tracking bugs for this issue:

Affects: fedora-all [bug 1593059]
Comment 2 Siddharth Sharma 2018-06-20 08:38:13 UTC 
Red Hat Ceph Storage 1.3 shipped ruby193-rubygem-sprockets as dependency for rhcs-installer in tech preview. It is not used as server and it is not essential for working of ceph cluster.
Comment 5 Scott Gayou 2018-06-27 17:31:26 UTC 
I was able to reproduce this and traverse to any file. This seems to be reproducible by default on development and testing setups of rails server. For production, this requires that "config.assets.compile" in production.rb be set to true, which does not appear to be a default value.
Comment 6 Scott Gayou 2018-06-27 17:42:29 UTC 
Mitigation:

Ensure config.assets.compile = false in production.rb.
Comment 10 errata-xmlrpc 2018-07-24 07:45:22 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS

Via RHSA-2018:2245 https://access.redhat.com/errata/RHSA-2018:2245
Comment 11 errata-xmlrpc 2018-07-24 07:45:34 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS

Via RHSA-2018:2244 https://access.redhat.com/errata/RHSA-2018:2244
Comment 12 errata-xmlrpc 2018-07-24 07:46:36 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS

Via RHSA-2018:2244 https://access.redhat.com/errata/RHSA-2018:2244
Comment 17 errata-xmlrpc 2018-09-04 18:00:24 UTC 
This issue has been addressed in the following products:

  CloudForms Management Engine 5.9

Via RHSA-2018:2561 https://access.redhat.com/errata/RHSA-2018:2561
Comment 18 errata-xmlrpc 2018-09-26 18:36:29 UTC 
This issue has been addressed in the following products:

  CloudForms Management Engine 5.8

Via RHSA-2018:2745 https://access.redhat.com/errata/RHSA-2018:2745
Note You need to log in before you can comment on or make changes to this bug.