Directory Traversal Vulnerability in Ruby on Rails Action View
CVE-2016-0752

7.5HIGH

Key Information:

Vendor: Rubyonrails
Status: Ruby On Rails; Rails
Vendor: CVE Published:; 16 February 2016

🔔 Create Rubyonrails Vulnerability Alert

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 92%🦅 CISA Reported

What is CVE-2016-0752?

A directory traversal vulnerability exists in the Action View component of Ruby on Rails, allowing attackers to exploit the unrestrained use of the render method. By manipulating the pathname with a '..' sequence, unauthorized users can read arbitrary files on the server, leading to potential information leakage and exploitation of sensitive data.

CISA has reported CVE-2016-0752

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2016-0752 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply updates per vendor instructions.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2016-0752 - Proof of Concept

rails-rce-cve-2016-0752
Created by forced-request

CVE-2016-0752
Created by dachidahu