{"id":"CVE-2016-2097","details":"Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752.","aliases":["GHSA-vx9j-46rh-fqr8"],"modified":"2026-04-10T03:48:48.091448Z","published":"2016-04-07T23:59:05.800Z","related":["SUSE-SU-2016:0854-1","SUSE-SU-2016:0967-1","SUSE-SU-2022:15116-1"],"references":[{"type":"WEB","url":"http://www.securityfocus.com/bid/83726"},{"type":"WEB","url":"http://www.securitytracker.com/id/1035122"},{"type":"WEB","url":"https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"},{"type":"ADVISORY","url":"http://www.debian.org/security/2016/dsa-3509"},{"type":"FIX","url":"http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rails/rails","events":[{"introduced":"0"},{"last_affected":"375d9a0a7fb329b0fbbd75a13e93e53a00520587"},{"introduced":"0"},{"last_affected":"202041e762a98cb433c3a24a0b03308d4e05a99d"},{"introduced":"0"},{"last_affected":"1ec64297f9347986a11ce38af2cc3434d99c66c2"},{"introduced":"0"},{"last_affected":"7b0d3a550328f64f23f38a27864419d72b941f2f"},{"introduced":"0"},{"last_affected":"5505c1d700f17e2009e1189a7aa6dafafe7062a4"},{"introduced":"0"},{"last_affected":"3f2bc99024d25c73f5de66a36d3f897c484705b8"},{"introduced":"0"},{"last_affected":"3449a204014c2c4db2238559a75586400766adee"},{"introduced":"0"},{"last_affected":"b91f81c45bce0ecde0901d1a595051b8552a93fa"},{"introduced":"0"},{"last_affected":"9466dad7468f106bad6f8e2a0b468fb3ab113dcb"},{"introduced":"0"},{"last_affected":"98d06c6bd4eefeeb342d05116fccefa11875cb9b"},{"introduced":"0"},{"last_affected":"1f6113c6a9f1f2f8e362b0e7702afac5d8cf98db"},{"introduced":"0"},{"last_affected":"2abe4b032d080f7177c6f2e34c9124c468e8a293"},{"introduced":"0"},{"last_affected":"26bfdf9f300be2ada831a34b8eb71f55a9a5122f"},{"introduced":"0"},{"last_affected":"15ac2f0b6b2702f180707f480eb966a4e3b96e25"},{"introduced":"0"},{"last_affected":"276b72c60342eb716e7457b447bce1e352780e92"},{"introduced":"0"},{"last_affected":"100682883ba38cd8420350ef21d47f26e1b9c6c5"},{"introduced":"0"},{"last_affected":"13c6bac0b73d4bba9cf0714b65cd1e339ee481b2"},{"introduced":"0"},{"last_affected":"9649cb4b51c7f0194e02252e5b88a362a70da97f"},{"introduced":"0"},{"last_affected":"f17b04a23e7c597876cb2320ef9d525537e0b0a8"},{"introduced":"0"},{"last_affected":"31e922996b97b7c223ebc1e26d1a1a2764bb0a62"},{"introduced":"0"},{"last_affected":"b792566f3ebdd0c7dc688db7a4076d1c2c74f69f"},{"introduced":"0"},{"last_affected":"77b60a2c43c1188d4d2d2e52fa5fd59b50e92e1b"},{"introduced":"0"},{"last_affected":"4e168015cef61207981d2427d4dbb6cf15f71182"},{"introduced":"0"},{"last_affected":"f706d5f945c5751072bb90d080aff154e6858435"},{"introduced":"0"},{"last_affected":"8b20c72dd80e2faf531f308d430a145a253aeac3"},{"introduced":"0"},{"last_affected":"78ba185fb91d7066ae5c396ca97034c13054236c"},{"introduced":"0"},{"last_affected":"6b6f8b566ef3245f5b25d03c61b2af0a1f55301e"},{"introduced":"0"},{"last_affected":"254e8e2c97b5df1dafd54cf8f305f7bad05f4a63"},{"introduced":"0"},{"last_affected":"0690f6f3a47b8fddf60ac57da006f0b8bfa22e32"},{"introduced":"0"},{"last_affected":"fcb1afc245455130ca6d42db8760cc7b43b99d18"},{"introduced":"0"},{"last_affected":"5006b63ae3609aee86c4dae603d8dfe80230b1b1"},{"introduced":"0"},{"last_affected":"6ed0f63398ba7268c541f9b959f7a56b68584301"},{"introduced":"0"},{"last_affected":"dfa7a76de8c1f7af0ef28119f9ac3072057c665e"},{"introduced":"0"},{"last_affected":"7c4bfe1c954ef90acf4f790e46fcbbd07d85af3e"},{"introduced":"0"},{"last_affected":"9bb76261d39b59e7e229c80d052ca91a65ff17be"},{"introduced":"0"},{"last_affected":"c5310bed8642656ade02d97c6fae651b54654a6b"},{"introduced":"0"},{"last_affected":"57d65e3b286dcddbc4f07db1c618da42f31d1b84"},{"introduced":"0"},{"last_affected":"6fe2572af11dc42f33d4f0e33a22391a85f2a1d2"},{"introduced":"0"},{"last_affected":"7b8e4f82717fcb944eb7e712050b223bd47b544e"},{"introduced":"0"},{"last_affected":"b32babc4b0ff8f830933f25375ce9dbfbb356601"},{"introduced":"0"},{"last_affected":"116695b25890e2587923d4a237ce4107e3adb145"},{"introduced":"0"},{"last_affected":"a698862cbce7f12475d3fefdb7268022b3bd9af1"},{"introduced":"0"},{"last_affected":"08217de91143353f263ede79bcc01d529f644c30"},{"introduced":"0"},{"last_affected":"77e324b59ec0e0b09f5c26b035add9de40482470"},{"introduced":"0"},{"last_affected":"410f7d29e998befb27ab0b3dee3bbe83944bdc04"},{"introduced":"0"},{"last_affected":"68d324549668169a41bb30f98afdd01682bc5dec"},{"introduced":"0"},{"last_affected":"099a9181fcf350b05bc33b61bac288277b994ad0"},{"introduced":"0"},{"last_affected":"23df8809089cf3e5646829095ab0433f93f3e736"},{"introduced":"0"},{"last_affected":"96c4b1a1311b0f9e099db2819f08a2277377c552"},{"introduced":"0"},{"last_affected":"8d86637fb64ae8ae81ab71a286ddba02cc3144a4"},{"introduced":"0"},{"last_affected":"31ab3aa0e881acfd1475abae602455905a4cadf1"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"4.0.0-NA"},{"introduced":"0"},{"last_affected":"4.0.0-beta"},{"introduced":"0"},{"last_affected":"4.0.0-rc1"},{"introduced":"0"},{"last_affected":"4.0.0-rc2"},{"introduced":"0"},{"last_affected":"4.0.1-NA"},{"introduced":"0"},{"last_affected":"4.0.1-rc1"},{"introduced":"0"},{"last_affected":"4.0.1-rc2"},{"introduced":"0"},{"last_affected":"4.0.1-rc3"},{"introduced":"0"},{"last_affected":"4.0.1-rc4"},{"introduced":"0"},{"last_affected":"4.0.2"},{"introduced":"0"},{"last_affected":"4.0.3"},{"introduced":"0"},{"last_affected":"4.0.4"},{"introduced":"0"},{"last_affected":"4.0.4-rc1"},{"introduced":"0"},{"last_affected":"4.0.5"},{"introduced":"0"},{"last_affected":"4.0.6"},{"introduced":"0"},{"last_affected":"4.0.6-rc1"},{"introduced":"0"},{"last_affected":"4.0.6-rc2"},{"introduced":"0"},{"last_affected":"4.0.6-rc3"},{"introduced":"0"},{"last_affected":"4.0.7"},{"introduced":"0"},{"last_affected":"4.0.8"},{"introduced":"0"},{"last_affected":"4.0.9"},{"introduced":"0"},{"last_affected":"4.0.10-rc1"},{"introduced":"0"},{"last_affected":"4.1.0-NA"},{"introduced":"0"},{"last_affected":"4.1.0-beta1"},{"introduced":"0"},{"last_affected":"4.1.0-beta2"},{"introduced":"0"},{"last_affected":"4.1.0-rc1"},{"introduced":"0"},{"last_affected":"4.1.0-rc2"},{"introduced":"0"},{"last_affected":"4.1.1"},{"introduced":"0"},{"last_affected":"4.1.2"},{"introduced":"0"},{"last_affected":"4.1.2-rc1"},{"introduced":"0"},{"last_affected":"4.1.2-rc2"},{"introduced":"0"},{"last_affected":"4.1.2-rc3"},{"introduced":"0"},{"last_affected":"4.1.3"},{"introduced":"0"},{"last_affected":"4.1.4"},{"introduced":"0"},{"last_affected":"4.1.5"},{"introduced":"0"},{"last_affected":"4.1.6-rc1"},{"introduced":"0"},{"last_affected":"4.1.6-rc2"},{"introduced":"0"},{"last_affected":"4.1.7"},{"introduced":"0"},{"last_affected":"4.1.7.1"},{"introduced":"0"},{"last_affected":"4.1.8"},{"introduced":"0"},{"last_affected":"4.1.9-rc1"},{"introduced":"0"},{"last_affected":"4.1.10-rc1"},{"introduced":"0"},{"last_affected":"4.1.10-rc2"},{"introduced":"0"},{"last_affected":"4.1.10-rc3"},{"introduced":"0"},{"last_affected":"4.1.10-rc4"},{"introduced":"0"},{"last_affected":"4.1.12-rc1"},{"introduced":"0"},{"last_affected":"4.1.13-rc1"},{"introduced":"0"},{"last_affected":"4.1.14-rc1"},{"introduced":"0"},{"last_affected":"4.1.14-rc2"},{"introduced":"0"},{"last_affected":"3.2.22.1"},{"introduced":"0"},{"last_affected":"4.1.14.1"}]}}],"versions":["v0.10.0","v0.10.1","v0.11.0","v0.11.1","v0.12.0","v0.13.0","v0.13.1","v0.14.1","v0.14.3","v0.9.1","v0.9.2","v0.9.3","v0.9.4","v0.9.4.1","v0.9.5","v1.1.0","v1.1.0_RC1","v1.1.1","v2.0.0","v2.0.0_PR","v2.0.0_RC1","v2.0.0_RC2","v2.0.1","v3.0.0.beta.3","v3.0.0.beta3","v3.1.0.beta1","v3.1.0.rc1","v3.2.0","v3.2.0.rc1","v3.2.0.rc2","v3.2.1","v3.2.16","v3.2.21","v3.2.22","v3.2.22.1","v3.2.3.rc1","v3.2.5","v3.2.8.rc1","v3.2.9.rc1","v3.2.9.rc2","v4.0.0","v4.0.0.beta1","v4.0.0.rc1","v4.0.0.rc2","v4.0.1","v4.0.1.rc1","v4.0.1.rc2","v4.0.1.rc3","v4.0.1.rc4","v4.0.10.rc1","v4.0.2","v4.0.3","v4.0.4","v4.0.4.rc1","v4.0.5","v4.0.6","v4.0.6.rc1","v4.0.6.rc2","v4.0.6.rc3","v4.0.7","v4.0.8","v4.0.9","v4.1.0","v4.1.0.beta1","v4.1.0.beta2","v4.1.0.rc1","v4.1.0.rc2","v4.1.1","v4.1.10.rc1","v4.1.10.rc2","v4.1.10.rc3","v4.1.10.rc4","v4.1.12.rc1","v4.1.13.rc1","v4.1.14","v4.1.14.1","v4.1.14.rc1","v4.1.14.rc2","v4.1.2","v4.1.2.rc1","v4.1.2.rc2","v4.1.2.rc3","v4.1.3","v4.1.4","v4.1.5","v4.1.6","v4.1.6.rc1","v4.1.6.rc2","v4.1.7","v4.1.7.1","v4.1.8","v4.1.9.rc1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-2097.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}