VDB
CVE-2018-3760
CVE-2018-3760
PUBLISHED
There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application's root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.
EPSS 93.89% · 99.9th percentile
Risk Scores
EPSS Score
93.89%
99.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cloudflare | access | |
| Ubuntu:18.04:LTS | ruby-sprockets | 0, 3.7.0-1 |
| Ubuntu:16.04:LTS | ruby-sprockets | 0, 2.12.3-1, 3.3.0-1 |
Timeline
- CVE Published
- Jul 19, 2018 PoC Published
- Apr 14, 2021 EPSS Score
- Jun 22, 2021 EPSS Score
- Oct 25, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Feb 27, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Nov 5, 2022 EPSS Score
- Mar 7, 2023 EPSS Score
- Mar 10, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2018-3760 third-party-advisory
- http://www.openwall.com/lists/oss-security/2018/06/19/2 third-party-advisory
- https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5f third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2018-3760 third-party-advisory