CVE-2013-0262

Description

rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka "symlink path traversals."

Related CPE's

arack_projectrack1.4.4*******

arack_projectrack1.4.2*******

arack_projectrack1.4.3*******

arack_projectrack1.4.0*******

arack_projectrack1.5.1*******

arack_projectrack1.4.1*******

arack_projectrack1.5.0*******

References

https://bugzilla.redhat.com/show_bug.cgi?id=909072

52033

Vendor Advisory

http://rack.github.com/

https://gist.github.com/rentzsch/4736940

https://bugzilla.redhat.com/show_bug.cgi?id=909071

https://github.com/rack/rack/blob/master/lib/rack/file.rb#L56

https://github.com/rack/rack/commit/6f237e4c9fab649d3750482514f0fde76c56ab30

openSUSE-SU-2013:0462

https://groups.google.com/forum/#!msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ

https://groups.google.com/forum/#!msg/rack-devel/bf937jPZxJM/1s6x95vIhmAJ

CvssV3 impact

Could not find any metrics

CvssV2 impact

Version

2.0

VectorString

AV:N/AC:M/Au:N/C:P/I:N/A:N

AccessVector

NETWORK

AccessComplexity

MEDIUM

Authentication

NONE

ConfidentialityImpact

PARTIAL

IntegrityImpact

NONE

AvailabilityImpact

NONE

BaseScore

4.300000190734863

Created by Yello
About Severity.io