There was a possible directory traversal vulnerability in the Rack::Directory app that is bundled with Rack.

Versions Affected: rack < 2.2.0 Not affected: Applications that do not use Rack::Directory. Fixed Versions: 2.1.3, >= 2.2.0

Impact

If certain directories exist in a director that is managed by Rack::Directory, an attacker could, using this vulnerability, read the contents of files on the server that were outside of the root specified in the Rack::Directory initializer.

Workarounds

Until such time as the patch is applied or their Rack version is upgraded, we recommend that developers do not use Rack::Directory in their applications.