Merge pull request #340 from greysteil/sprockets-cve

phillmv · web-flow · commit 2b177828bcbc · 2018-06-19T12:16:37.000-04:00
Add Path Traversal in Sprockets vulnerability
diff --git a/gems/sprockets/CVE-2018-3760.yml b/gems/sprockets/CVE-2018-3760.yml
@@ -0,0 +1,23 @@
+---
+gem: sprockets
+cve: 2018-3760
+url: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
+title: Path Traversal in Sprockets
+date: 2018-06-19
+description: |
+  Specially crafted requests can be used to access files that exist on
+  the filesystem that is outside an application's root directory, when the
+  Sprockets server is used in production.
+  
+  All users running an affected release should either upgrade or use one of the work arounds immediately.
+  
+  Workaround:
+  In Rails applications, work around this issue, set `config.assets.compile = false` and
+  `config.public_file_server.enabled = true` in an initializer and precompile the assets.
+
+   This work around will not be possible in all hosting environments and upgrading is advised.
+
+patched_versions:
+  - ">= 2.12.5, < 3.0.0"
+  - ">= 3.7.2, < 4.0.0"
+  - ">= 4.0.0.beta8"
