Ruby

Ruby

By DeepSource

sprockets gem version is susceptible to path traversal vulnerability RB-A1009

Security

Specially crafted requests can be used to access files that exist on the filesystem that is outside an application's root directory when the Sprockets server is used in production. Upgrading to newer versions of the gem can help fix this issue.

Workaround:

In Rails applications, you can avoid this by setting config.assets.compile = false and config.public_file_server.enabled = true in an initializer and precompile the assets.

Note: This workaround will not be possible in all hosting environments, and upgrading is strongly advised.

Affected Versions: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower.

References

  1. CVE-2018-3760 - Rails Security Group
  2. CVE-2018-3760 - GitHub Advisory Database
  3. OWASP Top 10 - A9 - Using Components With Known Vulnerabilities