CVE-2016-2097 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2016-2097 Interim 1 14 2023-12-09T01:19:59Z current 2021-05-30T13:39:05Z 2023-12-09T01:19:59Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2016-2097 Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-security-updates/2016-March/001962.html E-Mail link for SUSE-SU-2016:0854-1 https://lists.suse.com/pipermail/sle-security-updates/2016-April/001988.html E-Mail link for SUSE-SU-2016:0967-1 https://lists.suse.com/pipermail/sle-security-updates/2022-December/013203.html E-Mail link for SUSE-SU-2022:15116-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DD7VV27CT42C5NSNF7SS4TF46WAHCLKL/#DD7VV27CT42C5NSNF7SS4TF46WAHCLKL E-Mail link for openSUSE-SU-2016:0835-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Lifecycle Management Server 1.3 SUSE Linux Enterprise Software Development Kit 11 SP4 SUSE Linux Enterprise Software Development Kit 11 SP4 SUSE Linux Enterprise Software Development Kit 11 SP4 SUSE OpenStack Cloud 5 SUSE Studio Onsite 1.3 SUSE WebYast 1.3 ruby2.1-rubygem-actionview-4_1-4.1.9-12.1 rubygem-actionpack-3_2-3.2.12-0.26.1 rubygem-actionpack-3_2-3.2.12-0.27.3.1 rubygem-actionpack-3_2-3.2.12-0.26.1 as a component of SUSE Lifecycle Management Server 1.3 rubygem-actionpack-3_2-3.2.12-0.26.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 ruby2.1-rubygem-actionview-4_1-4.1.9-12.1 as a component of SUSE OpenStack Cloud 5 rubygem-actionpack-3_2-3.2.12-0.26.1 as a component of SUSE Studio Onsite 1.3 rubygem-actionpack-3_2-3.2.12-0.27.3.1 as a component of SUSE WebYast 1.3 Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752. CVE-2016-2097 SUSE Lifecycle Management Server 1.3:rubygem-actionpack-3_2-3.2.12-0.26.1 SUSE Linux Enterprise Software Development Kit 11 SP4:rubygem-actionpack-3_2-3.2.12-0.26.1 SUSE OpenStack Cloud 5:ruby2.1-rubygem-actionview-4_1-4.1.9-12.1 SUSE Studio Onsite 1.3:rubygem-actionpack-3_2-3.2.12-0.26.1 SUSE WebYast 1.3:rubygem-actionpack-3_2-3.2.12-0.27.3.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N