Critical File Content Disclosure & DoS Vulnerabilities in Ruby on Rails (CVE-2019-5418)

On This Page

Recent Stories

July 27, 2021

Jul 27
MacOS, iPadOS, and iOS Local Privilege Escalation Vulnerability (CVE-2021-30807)

April 5, 2021

Apr 05
UC Email Security Incident Notice

March 31, 2021

Mar 31
IRS Warning of Impersonation Attacks Targeting Universities
News Archive
March 14, 2019
Josh Kwan

Summary

Serious security vulnerabilities have been discovered in the Ruby on Rails web application framework including a remote file content disclosure flaw and a Denial of Service (DoS) vulnerability. Please read the References links below to learn if your Rails application is affected.

Impact

  • CVE-2019-5418: By using specially crafted headers, attackers can view an arbitrary file’s content. [1]
  • CVE-2019-5419: Rails applications that are rendering tempates are subject to a Denial of Service (DoS) attack. Using specially crafted headers, attackers can max out the CPU by exploiting the template location code. [1]

Vulnerable

  • All versions of Rails before 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 are affected.

Recommendations

  • Upgrade to Rails versions 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, or 4.2.11.1. 

References