SYM_RB_0075 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description
User-controlled request parameters are being passed directly to the render method in Rails, allowing users to specify which files are rendered. This can let attackers request and display unintended files from the server.
Impact
If exploited, attackers could access sensitive files on the server, such as configuration files or source code, potentially exposing secrets, credentials, or other confidential information. This can lead to data breaches or compromise of the entire application.