Critical File Content Disclosure & DoS Vulnerabilities in Ruby on Rails (CVE-2019-5418)

On This Page

Recent Stories

March 24, 2020

Windows Zero-Day Exploit: Type 1 Font Parsing Remote Code Execution Vulnerability

March 13, 2020

Patch IMMEDIATELY – Microsoft SMBv3 Compression - Wormable RCE Vulnerability - CVE-2020-0796

January 14, 2020

Patch IMMEDIATELY! - Microsoft Remote Desktop Gateway Remote Code Execution Vulnerability (CVE-2020-0610)
News Archive
March 14, 2019
Josh Kwan

Summary

Serious security vulnerabilities have been discovered in the Ruby on Rails web application framework including a remote file content disclosure flaw and a Denial of Service (DoS) vulnerability. Please read the References links below to learn if your Rails application is affected.

Impact

  • CVE-2019-5418: By using specially crafted headers, attackers can view an arbitrary file’s content. [1]
  • CVE-2019-5419: Rails applications that are rendering tempates are subject to a Denial of Service (DoS) attack. Using specially crafted headers, attackers can max out the CPU by exploiting the template location code. [1]

Vulnerable

  • All versions of Rails before 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 are affected.

Recommendations

  • Upgrade to Rails versions 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, or 4.2.11.1. 

References