CVE-2013-0262 — Path Traversal in Rack

CWE-22 — Path Traversal10 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

1.3%

top 20.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rack Rack Project Rack

Timeline

PublishedFeb 8

Latest updateOct 24

Description

rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka "symlink path traversals."

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

▶RubyGemsrack/rack1.5.0 — 1.5.2+1

▶NVDrack_project/rack7 versions+6

🔴Vulnerability Details

GHSA

Rack Vulnerable to Path Traversal↗2017-10-24

▶

OSV

Rack Vulnerable to Path Traversal↗2017-10-24

▶

CVEList

CVE-2013-0262: rack/file↗2013-02-08

▶

OSV

CVE-2013-0262: rack/file↗2013-02-08

▶

📋Vendor Advisories

Red Hat

rubygem-rack: Path sanitization information disclosure↗2013-02-08

▶

Debian

CVE-2013-0262: ruby-rack - rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allo...↗2013

▶

💬Community

Bugzilla

CVE-2013-0262 rubygem-rack: Path sanitization information disclosure↗2013-02-08

▶

Bugzilla

CVE-2013-0262 Rubygem Rack: Path sanitization information disclosure [fedora-17]↗2013-02-08

▶

Bugzilla

CVE-2013-0262 Rubygem Rack: Path sanitization information disclosure [fedora-18]↗2013-02-08

▶