Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-8161: [CVE-2020-8161] Directory traversal in Rack::Directory

A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure.

CVE
#vulnerability#ruby

Directory traversal in Rack::Directory

There was a possible directory traversal vulnerability in the Rack::Directory app
that is bundled with Rack.
This vulnerability has been assigned the CVE identifier CVE-2020-8161.

Versions Affected: rack < 2.2.0
Not affected: Applications that do not use Rack::Directory.
Fixed Versions: 2.1.3, >= 2.2.0

Impact
------

If certain directories exist in a director that is managed by
`Rack::Directory`, an attacker could, using this vulnerability, read the
contents of files on the server that were outside of the root specified in the
Rack::Directory initializer.

Releases
--------

Rack 2.2.0 contains a fix for this issue. This release is already available
on RubyGems.

The Rack 2.1.3 release is available at the normal locations.

Workarounds
-----------

Until such time as the patch is applied or their Rack version is upgraded,
we recommend that developers do not use Rack::Directory in their
applications.

Patches
-------

For developers who are not able to immediately patch their applications,
we are including the following patch which should apply cleanly to all
2.1 series releases of Rack.

* 2-1-directory-traversal.patch

Credits
-------

Thanks to https://hackerone.com/saltyyolk for reporting this issue via our HackerOne bug bounty program.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907