FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2013-0262

This CVE name corresponds to:

Entered Topic
2013-02-17 Ruby Rack Gem -- Multiple Issues

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2013-0262 at cve.mitre.org

Details

Type Candidate
Name CVE-2013-0262
Phase Assigned(20121206)

Description

rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka "symlink path traversals."

References

Source Reference
MISC https://bugzilla.redhat.com/show_bug.cgi?id=909071
MISC https://gist.github.com/rentzsch/4736940
MISC https://github.com/rack/rack/blob/master/lib/rack/file.rb#L56
CONFIRM http://rack.github.com/
CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=909072
CONFIRM https://github.com/rack/rack/commit/6f237e4c9fab649d3750482514f0fde76c56ab30
CONFIRM https://groups.google.com/forum/#!msg/rack-devel/bf937jPZxJM/1s6x95vIhmAJ
CONFIRM https://groups.google.com/forum/#!msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ
SUSE openSUSE-SU-2013:0462
SECUNIA 52033

Copyright © 2005 The MITRE Corporation.

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.