CVE-2013-0262

2013-02-08 21:55:01 2018-08-13 23:47:43

rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka "symlink path traversals."

Vector

NETWORK

Complexity

MEDIUM

Authentication

NONE

Confidentiality

PARTIAL

Integrity

NONE

Availability

NONE

Rubyforge Rack 1.5.1 Rubyforge Rack 1.5.0 Rubyforge Rack 1.4.4 Rubyforge Rack 1.4.3 Rubyforge Rack 1.4.2 Rubyforge Rack 1.4.1 Rubyforge Rack 1.4.0

Rack project - Rack

Advisory	Patch	Confirmed	Link
			https://groups.google.com/forum/#!msg/rack-devel/mZsuRon...
			https://groups.google.com/forum/#!msg/rack-devel/bf937jP...
			https://github.com/rack/rack/commit/6f237e4c9fab649d3750...
			https://github.com/rack/rack/blob/master/lib/rack/file.r...
			https://gist.github.com/rentzsch/4736940
			https://bugzilla.redhat.com/show_bug.cgi?id=909072
			https://bugzilla.redhat.com/show_bug.cgi?id=909071
			http://rack.github.com/
			openSUSE-SU-2013:0462

CVE-2013-0262

2013-02-08 21:55:01 2018-08-13 23:47:43

Vector

Complexity

Authentication

Confidentiality

Integrity

Availability

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (ID 22)