CVE-2019-18978 — Path Traversal in Project Rack-cors

CWE-22 — Path Traversal9 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

1.0%

top 22.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rack-cors Project Rack-cors Debian Ruby-rack-cors Canonical Ubuntu Linux +1 more

Timeline

PublishedNov 14

Latest updateOct 5

Description

An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶debiandebian/ruby-rack-cors< ruby-rack-cors 1.1.1-1 (bookworm)

▶NVDrack-cors_project/rack-cors< 1.0.4

▶RubyGemsrack-cors_project/rack-cors< 1.0.4

Also affects: Ubuntu Linux 16.04, Debian Linux 10.0, 8.0, 9.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

The rack-cors rubygem may allow directory traveral↗2019-11-15

▶

GHSA

The rack-cors rubygem may allow directory traveral↗2019-11-15

▶

OSV

CVE-2019-18978: An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1↗2019-11-14

▶

📋Vendor Advisories

Ubuntu

rack-cors vulnerability↗2020-10-05

▶

Debian

CVE-2019-18978: ruby-rack-cors - An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1...↗2019

▶

💬Community

Bugzilla

CVE-2019-18978 rubygem-rack-cors: allows ../ directory traversal to access private resources [epel-all]↗2019-11-21

▶

Bugzilla

CVE-2019-18978 rubygem-rack-cors: allows ../ directory traversal to access private resources↗2019-11-21

▶

Bugzilla

CVE-2019-18978 rubygem-rack-cors: allows ../ directory traversal to access private resources [fedora-all]↗2019-11-21

▶