Directory traversal in Rack::Directory
There was a possible directory traversal vulnerability in the Rack::Directory app
that is bundled with Rack.
This vulnerability has been assigned the CVE identifier CVE-2020-8161.
Versions Affected: rack < 2.2.0
Not affected: Applications that do not use Rack::Directory.
Fixed Versions: 2.1.3, >= 2.2.0
Impact
------
If certain directories exist in a director that is managed by
`Rack::Directory`, an attacker could, using this vulnerability, read the
contents of files on the server that were outside of the root specified in the
Rack::Directory initializer.
Releases
--------
Rack 2.2.0 contains a fix for this issue. This release is already available
on RubyGems.
The Rack 2.1.3 release is available at the normal locations.
Workarounds
-----------
Until such time as the patch is applied or their Rack version is upgraded,
we recommend that developers do not use Rack::Directory in their
applications.
Patches
-------
For developers who are not able to immediately patch their applications,
we are including the following patch which should apply cleanly to all
2.1 series releases of Rack.
* 2-1-directory-traversal.patch
Credits
-------
Thanks to
https://hackerone.com/saltyyolk for reporting this issue via our HackerOne bug bounty program.