Read more

How to recognize CVE-2019-5418

Judith Roth
May 29, 2019Software engineer at makandra GmbH

If you get requests with values for formats like this:

{:locale=>[:de], :formats=>["../../../../../../../../../../etc/services{{"], :variants=>[], :handlers=>[:erb, :builder, :raw, :ruby, :coffee, :haml]}
Illustration online protection

Rails Long Term Support

Rails LTS provides security patches for old versions of Ruby on Rails (2.3, 3.2, 4.2 and 5.2)

  • Prevents you from data breaches and liability risks
  • Upgrade at your own pace
  • Works with modern Rubies
Read more Show archive.org snapshot

or fails like this:

Invalid query parameters: invalid %-encoding (../../../../../../../../../etc/passwd%%0000.html)

Someone tries to exploit CVE-2019-5418 Show archive.org snapshot .
If you use the latest Rails (or latest Rails LTS Show archive.org snapshot ) you're safe. The exact versions that fix this issue are: Rails 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1, Rails LTS 3.2.22.13 and Rails LTS 2.3.18.24.

Posted by Judith Roth to makandra dev (2019-05-29 09:25)