What is CVE-2018-3760?

CVE-2018-3760 is a vulnerability in Hackerone Sprockets, classified under Path Traversal. Published 2018-06-26.

Is CVE-2018-3760 known to be exploited?

41 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Path Traversal in Hackerone Sprockets

CVE-2018-3760

There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an a…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.939 (99.9th percentile) — read the EPSS interpretation.

Affected products

Hackerone Sprockets — versions 4.0.0.beta8, 3.7.2, 2.12.5

Weakness classification (CWE)

CWE-22 — Path Traversal

Public proof-of-concept exploits

References

github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5fhttps… (x_refsource_MISC)
RHSA-2018:2745 (vendor-advisory, x_refsource_REDHAT)
groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ (x_refsource_MISC)
RHSA-2018:2244 (vendor-advisory, x_refsource_REDHAT)
RHSA-2018:2561 (vendor-advisory, x_refsource_REDHAT)
RHSA-2018:2245 (vendor-advisory, x_refsource_REDHAT)
DSA-4242 (vendor-advisory, x_refsource_DEBIAN)

Frequently asked questions

What is CVE-2018-3760?: CVE-2018-3760 is a vulnerability in Hackerone Sprockets, classified under Path Traversal. Published 2018-06-26.
Is CVE-2018-3760 known to be exploited?: 41 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.