← Back

CVE-2016-0752

nvd nist
Published: Feb 16, 2016Modified: Apr 22, 2026CISA KEV

JSON object

Loading...
7.5
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Exploitability: 3.9 / Impact: 3.6
Source: NVD

Description

Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname.

Affected (9)

Show all products
Rubyonrails: Rails · Opensuse: Leap, Opensuse · Suse: Linux Enterprise Module For Containers · Debian: Debian Linux · Redhat: Software Collections
Rubyonrails
1 product
Rails
Opensuse
2 products
Leap
Opensuse
Suse
1 product
Linux Enterprise Module For Containers
Debian
1 product
Debian Linux
Redhat
1 product
Software Collections
Configuration A
4 vulnerable
Vulnerable SoftwareAffected Versions
Rubyonrails
Rails
Before 3.2.22.1
Rails
From 4.0.0 to 4.1.14.1
Rails
From 4.2.0 to 4.2.5.1
Rails
Version 5.0.0 beta1
Configuration B
3 vulnerable
Vulnerable SoftwareAffected Versions
Leap
Version 42.1
Opensuse
Version 13.2
Linux Enterprise Module For Containers
Version 12
Configuration C
1 vulnerable
Vulnerable SoftwareAffected Versions
Debian Linux
Version 8.0
Configuration D
1 vulnerable
Vulnerable SoftwareAffected Versions
Software Collections
Version 1.0

Related CWEs

CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (25)

Source: secalert@redhat.com
Permissions Required
Source: secalert@redhat.com
Permissions Required
Source: secalert@redhat.com
Mailing ListThird Party Advisory
Source: secalert@redhat.com
Mailing ListThird Party Advisory
Source: secalert@redhat.com
Mailing ListThird Party Advisory
Source: secalert@redhat.com
Third Party Advisory
Source: secalert@redhat.com
Mailing ListThird Party Advisory
Source: secalert@redhat.com
ExploitMailing List
Source: secalert@redhat.com
Broken LinkThird Party AdvisoryVDB Entry
Source: secalert@redhat.com
Broken LinkThird Party AdvisoryVDB Entry
Source: secalert@redhat.com
Broken Link
Source: secalert@redhat.com
ExploitThird Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Permissions Required
Source: af854a3a-2127-422b-91ae-364da2661108
Permissions Required
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitMailing List
Source: af854a3a-2127-422b-91ae-364da2661108
Broken LinkThird Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Broken LinkThird Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Broken Link
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party AdvisoryVDB Entry
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
US Government Resource

Timeline

No history available yet.