ALT-PU-2021-2719-1
Package gem-rack-cors updated to version 1.1.1-alt1 for branch sisyphus in task 246775.
Closed vulnerabilities
Published: 2019-11-14
BDU:2021-04587
Уязвимость программного обеспечения организации совместимости приложений Rack с CORS Rack-cors, связанная с некорректным ограничением имени пути к каталогу, позволяющая нарушителю получить доступ к конфиденциальным данным
Severity: MEDIUM (5.3)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References:
Published: 2019-11-15
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2019-18978
An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
Severity: MEDIUM (5.3)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References:
- https://github.com/cyu/rack-cors/commit/e4d4fc362a4315808927011cbe5afcfe5486f17d
- https://github.com/cyu/rack-cors/commit/e4d4fc362a4315808927011cbe5afcfe5486f17d
- https://github.com/cyu/rack-cors/compare/v1.0.3...v1.0.4
- https://github.com/cyu/rack-cors/compare/v1.0.3...v1.0.4
- [debian-lts-announce] 20200206 [SECURITY] [DLA 2096-1] ruby-rack-cors security update
- [debian-lts-announce] 20200206 [SECURITY] [DLA 2096-1] ruby-rack-cors security update
- [debian-lts-announce] 20201001 [SECURITY] [DLA 2389-1] ruby-rack-cors security update
- [debian-lts-announce] 20201001 [SECURITY] [DLA 2389-1] ruby-rack-cors security update
- USN-4571-1
- USN-4571-1
- DSA-4918
- DSA-4918