[CVE-2020-8161] Directory traversal in Rack::Directory

1,303 views
Skip to first unread message

Aaron Patterson

unread,
May 12, 2020, 5:47:46 PM5/12/20
to ruby-sec...@googlegroups.com, rubyonrail...@googlegroups.com
Directory traversal in Rack::Directory

There was a possible directory traversal vulnerability in the Rack::Directory app
that is bundled with Rack.
This vulnerability has been assigned the CVE identifier CVE-2020-8161.

Versions Affected: rack < 2.2.0
Not affected: Applications that do not use Rack::Directory.
Fixed Versions: 2.1.3, >= 2.2.0

Impact
------

If certain directories exist in a director that is managed by
`Rack::Directory`, an attacker could, using this vulnerability, read the
contents of files on the server that were outside of the root specified in the
Rack::Directory initializer.

Releases
--------

Rack 2.2.0 contains a fix for this issue. This release is already available
on RubyGems.

The Rack 2.1.3 release is available at the normal locations.

Workarounds
-----------

Until such time as the patch is applied or their Rack version is upgraded,
we recommend that developers do not use Rack::Directory in their
applications.

Patches
-------

For developers who are not able to immediately patch their applications,
we are including the following patch which should apply cleanly to all
2.1 series releases of Rack.

* 2-1-directory-traversal.patch


Credits
-------

Thanks to https://hackerone.com/saltyyolk for reporting this issue via our HackerOne bug bounty program.
2-1-directory-traversal.patch
Reply all
Reply to author
Forward
0 new messages