CVE-2018-3760: Information Exposure
(updated )
The package sprockets may leak confidential information. Specially crafted requests can be used to access files that exist on the filesystem that are outside an application’s root directory when the server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.
References
- github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5
- github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441
- github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5f
- groups.google.com/g/ruby-security-ann/c/2S9Pwz2i16k
- nvd.nist.gov/vuln/detail/CVE-2018-3760
Code Behaviors & Features
Detect and mitigate CVE-2018-3760 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →