March 14, 2019
Summary
Serious security vulnerabilities have been discovered in the Ruby on Rails web application framework including a remote file content disclosure flaw and a Denial of Service (DoS) vulnerability. Please read the References links below to learn if your Rails application is affected.
Impact
- CVE-2019-5418: By using specially crafted headers, attackers can view an arbitrary file’s content. [1]
- CVE-2019-5419: Rails applications that are rendering tempates are subject to a Denial of Service (DoS) attack. Using specially crafted headers, attackers can max out the CPU by exploiting the template location code. [1]
Vulnerable
-
All versions of Rails before 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 are affected.
Recommendations
- Upgrade to Rails versions 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, or 4.2.11.1.