Candidate: CVE-2018-3760
PublicDate: 2018-06-26 19:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3760
 http://www.openwall.com/lists/oss-security/2018/06/19/2
 https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5f
Description:
 There is an information leak vulnerability in Sprockets. Versions Affected:
 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted
 requests can be used to access files that exists on the filesystem that is
 outside an application's root directory, when the Sprockets server is used
 in production. All users running an affected release should either upgrade
 or use one of the work arounds immediately.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901913
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5 HIGH]


Patches_ruby-sprockets:
upstream_ruby-sprockets: released (3.7.0-1.1)
precise/esm_ruby-sprockets: DNE
trusty_ruby-sprockets: ignored (reached end-of-life)
trusty/esm_ruby-sprockets: DNE (trusty was needs-triage)
xenial_ruby-sprockets: ignored (end of standard support, was needed)
artful_ruby-sprockets: released (3.7.0-1+deb9u1build0.17.10.1)
bionic_ruby-sprockets: released (3.7.0-1+deb9u1build0.18.04.1)
cosmic_ruby-sprockets: ignored (reached end-of-life)
disco_ruby-sprockets: not-affected (3.7.2-1)
eoan_ruby-sprockets: not-affected (3.7.2-1)
focal_ruby-sprockets: not-affected (3.7.2-1)
groovy_ruby-sprockets: not-affected (3.7.2-1)
hirsute_ruby-sprockets: not-affected (3.7.2-1)
impish_ruby-sprockets: not-affected (3.7.2-1)
jammy_ruby-sprockets: not-affected (3.7.2-1)
devel_ruby-sprockets: not-affected (3.7.2-1)