New Detection for File Content Disclosure Vulnerability in Ruby on Rails

Document created by Dave Ferguson Employee on Mar 27, 2019
Version 1Show Document
  • View in full screen mode
Hello all
 
The Qualys WAS scanning engine has been updated with a new detection for CVE-2019-5418, a serious file content disclosure vulnerability in Ruby on Rails.  Ensure that QID 150237 is enabled in your WAS vulnerability scans to test for this issue,.  When attempting to exploit this issue, an attacker will submit a request with a specially-crafted "Accept" header.  Web apps that are vulnerable use the "render" method on a file (render :file).  More details can be found at https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q.

 

This new detection is part of an ongoing effort to provide more support for known vulnerabilities in application frameworks.

 

- Dave

Attachments

    Outcomes