RubySec

Providing security resources for the Ruby community

CVE-2013-0262 (rack): Rack Rack::File Function Symlink Traversal Arbitrary File Disclosure

ADVISORIES

GEM

rack

SEVERITY

CVSS v2: 4.3

PATCHED VERSIONS

  • ~> 1.4.5
  • >= 1.5.2

DESCRIPTION

Rack contains a flaw as the Rack::File function creates temporary files insecurely. It is possible for a local attacker to use a symlink attack to traverse to an arbitrary file and disclose its contents