CVE-2019-5418 | Vulnerability Database | Aqua Security

There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target systems filesystem to be exposed.

Affected Software

Name	Vendor	Start Version	End Version
Rails	Rubyonrails	3.0.0 (including)	4.2.11.1 (excluding)
Rails	Rubyonrails	5.0.0 (including)	5.0.7.2 (excluding)
Rails	Rubyonrails	5.1.0 (including)	5.1.6.2 (excluding)
Rails	Rubyonrails	5.2.0 (including)	5.2.2.1 (excluding)

References

http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html
http://packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Content-Disclosure.html
http://www.openwall.com/lists/oss-security/2019/03/22/1
https://access.redhat.com/errata/RHSA-2019:0796
https://access.redhat.com/errata/RHSA-2019:1147
https://access.redhat.com/errata/RHSA-2019:1149
https://access.redhat.com/errata/RHSA-2019:1289
https://groups.google.com/forum/#%21topic/rubyonrails-security/pFRKI96Sm8Q
https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/
https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/
https://www.exploit-db.com/exploits/46585/

NVD	https://nvd.nist.gov/vuln/detail/CVE-2019-5418
CWE	https://cwe.mitre.org/data/definitions/.html