What is CVE-2016-2097?

CVE-2016-2097 is a medium-severity vulnerability in Rubyonrails Rails, classified under Path Traversal. CVSS score: 5.3/10. Published 2016-04-07.

How severe is CVE-2016-2097?

Medium severity. CVSS v3 base score is 5.3 out of 10.

Path Traversal in Rubyonrails Rails

CVE-2016-2097

Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.019 (83.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.

Affected products

Rubyonrails Rails — versions 4.0.0, 4.0.1, 4.0.2
Rubyonrails Ruby_on_rails — versions 4.1.14.1
N/a — versions n/a

Weakness classification (CWE)

CWE-22 — Path Traversal

References

SUSE-SU-2016:0967 (vendor-advisory, x_refsource_SUSE)
DSA-3509 (vendor-advisory, x_refsource_DEBIAN)
[ruby-security-ann] 20160229 [CVE-2016-0752] Possible Information Leak Vulnerability in Action View (mailing-list, x_refsource_MLIST)
1035122 (vdb-entry, x_refsource_SECTRACK)
SUSE-SU-2016:0854 (vendor-advisory, x_refsource_SUSE)
83726 (vdb-entry, x_refsource_BID)
openSUSE-SU-2016:0835 (vendor-advisory, x_refsource_SUSE)
secalert@redhat.com (x_refsource_CONFIRM, Patch, Vendor Advisory)

Frequently asked questions

What is CVE-2016-2097?: CVE-2016-2097 is a medium-severity vulnerability in Rubyonrails Rails, classified under Path Traversal. CVSS score: 5.3/10. Published 2016-04-07.
How severe is CVE-2016-2097?: Medium severity. CVSS v3 base score is 5.3 out of 10.