All previously released versions of Sprockets, the software that powers the Rails asset pipeline, contain a directory traversal vulnerability. This vulnerability has been assigned CVE-2018-3760.
How do I know if I'm affected?
Rails applications are vulnerable if they have this setting enabled in their application:
# config/environments/production.rb config.assets.compile = true # setting to true makes your app vulnerable Note: The default value of this setting that ships with Rails in
production.rbisfalse. By default, Rails apps running in production mode are not vulnerable to this exploit.
How do I fix it?
To remediate this vulnerability, applications can either change the...