PublicDateAtUSN: 2019-11-14 21:15:00 UTC
Candidate: CVE-2019-18978
PublicDate: 2019-11-14 21:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18978
 https://github.com/cyu/rack-cors/compare/v1.0.3...v1.0.4
 https://ubuntu.com/security/notices/USN-4571-1
Description:
 An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem
 before 1.0.4 for Ruby. It allows ../ directory traversal to access private
 resources because resource matching does not ensure that pathnames are in a
 canonical format.
Ubuntu-Description:
 It was discovered that rack-cors did not properly handle relative file paths.
 An attacker could use this vulnerability to access arbitrary files.
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944849
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N [5.3 MEDIUM]


Patches_ruby-rack-cors:
 upstream: https://github.com/cyu/rack-cors/commit/e4d4fc362a4315808927011cbe5afcfe5486f17d
upstream_ruby-rack-cors: needs-triage
precise/esm_ruby-rack-cors: DNE
trusty_ruby-rack-cors: ignored (out of standard support)
trusty/esm_ruby-rack-cors: DNE
xenial_ruby-rack-cors: released (0.4.0-1+deb9u2build0.16.04.1)
bionic_ruby-rack-cors: needed
disco_ruby-rack-cors: ignored (reached end-of-life)
eoan_ruby-rack-cors: ignored (reached end-of-life)
focal_ruby-rack-cors: not-affected (1.1.1-1)
groovy_ruby-rack-cors: not-affected (1.1.1-1)
hirsute_ruby-rack-cors: not-affected (1.1.1-1)
impish_ruby-rack-cors: not-affected (1.1.1-1)
jammy_ruby-rack-cors: not-affected (1.1.1-1)
devel_ruby-rack-cors: not-affected (1.1.1-1)