Critical File Content Disclosure & DoS Vulnerabilities in Ruby on Rails (CVE-2019-5418)

On This Page

Recent Stories

October 18, 2019

Kubernetes Vulnerabilities Allow Authentication Bypass, DoS (CVE-2019-16276)

October 1, 2019

Vulnerability in Exim Could Allow for Remote Command Execution (CVE-2019-16928)

September 27, 2019

Vulnerability in PHP 7.3 Could Allow for Arbitrary Code Execution
News Archive
March 14, 2019
Josh Kwan

Summary

Serious security vulnerabilities have been discovered in the Ruby on Rails web application framework including a remote file content disclosure flaw and a Denial of Service (DoS) vulnerability. Please read the References links below to learn if your Rails application is affected.

Impact

  • CVE-2019-5418: By using specially crafted headers, attackers can view an arbitrary file’s content. [1]
  • CVE-2019-5419: Rails applications that are rendering tempates are subject to a Denial of Service (DoS) attack. Using specially crafted headers, attackers can max out the CPU by exploiting the template location code. [1]

Vulnerable

  • All versions of Rails before 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 are affected.

Recommendations

  • Upgrade to Rails versions 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, or 4.2.11.1. 

References