Critical File Content Disclosure & DoS Vulnerabilities in Ruby on Rails (CVE-2019-5418)

On This Page

Recent Stories

May 14, 2019

Patch IMMEDIATELY! - Microsoft Remote Desktop Services Remote Code Execution Vulnerability (CVE-2019-0708)
MS Windows Error Reporting Local Privilege Escalation Vulnerability (CVE-2019-0863)

April 17, 2019

Multiple Critical Vulnerabilities in Atlassian Confluence (CVE-2019-3396)
News Archive
March 14, 2019
Josh Kwan

Summary

Serious security vulnerabilities have been discovered in the Ruby on Rails web application framework including a remote file content disclosure flaw and a Denial of Service (DoS) vulnerability. Please read the References links below to learn if your Rails application is affected.

Impact

  • CVE-2019-5418: By using specially crafted headers, attackers can view an arbitrary file’s content. [1]
  • CVE-2019-5419: Rails applications that are rendering templates are subject to a Denial of Service (DoS) attack. Using specially crafted headers, attackers can max out the CPU by exploiting the template location code. [1]

Vulnerable

  • All versions of Rails before 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 are affected.

Recommendations

  • Upgrade to Rails versions 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, or 4.2.11.1. 

References