Skip to content

Path traversal when MessageBus::Diagnostics is enabled

Moderate
SamSaffron published GHSA-xmgj-5fh3-xjmm Dec 17, 2021

Package

MessageBus (Ruby)

Affected versions

< 3.3.6

Patched versions

>= 3.3.7

Description

Impact

Users who deployed message bus with diagnostics features enabled (default off) were vulnerable to a path traversal bug, which could lead to disclosure of secret information on a machine if an unintended user were to gain access to the diagnostic route. The impact is also greater if there is no proxy for your web application as the number of steps up the directories is not bounded. For deployments which uses a proxy, the impact varies. For example, If a request goes through a proxy like Nginx with merge_slashes enabled, the number of steps up the directories that can be read is limited to 3 levels.

Patches

Patched in 3.3.7.

Workarounds

Disable MessageBus::Diagnostics in production like environments.

Severity

Moderate
4.2
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
High
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N

CVE ID

CVE-2021-43840

Weaknesses

No CWEs