Ruby on Rails Directory Traversal Vulnerability in Action View Allowing Arbitrary File Read

A directory traversal vulnerability has been identified in the Action View component of Ruby on Rails. This issue is present in versions prior to 3.2.22.1, 4.0.x, 4.1.x prior to 4.1.14.1, 4.2.x prior to 4.2.5.1, and 5.x prior to 5.0.0.beta1.1. The vulnerability allows remote attackers to read arbitrary files by exploiting an application's unrestricted use of the render method, and by providing a .. (dot dot) in the pathname. The flaw arises from the Action View component's handling of template rendering, where untrusted input can be used to access files outside the application's view directory, potentially leading to remote code execution.

Impact

Exploitation of this vulnerability allows for directory traversal, leading to unauthorized file access. In certain scenarios, this could be escalated to remote code execution.

Reproduction

To reproduce this vulnerability, an application must be running a vulnerable version of Ruby on Rails and must pass unverified user input to the render method in a controller. This can be done by sending a request that includes a crafted pathname with .. (dot dot) segments, which the Action View component will interpret as a request to access files outside the intended directory.

Remediation

Users are advised to upgrade to Ruby on Rails versions 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, or 3.2.22.1. For those unable to upgrade immediately, a patch is available for the 4.1 and 4.2 series. Instructions for applying the patch can be found in the Ruby on Rails security update announcement.