Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Path traversal in message_bus
Vulnerability Description
message_bus is a messaging bus for Ruby processes and web clients. In versions prior to 3.3.7 users who deployed message bus with diagnostics features enabled (default off) are vulnerable to a path traversal bug, which could lead to disclosure of secret information on a machine if an unintended user were to gain access to the diagnostic route. The impact is also greater if there is no proxy for your web application as the number of steps up the directories is not bounded. For deployments which uses a proxy, the impact varies. For example, If a request goes through a proxy like Nginx with `merge_slashes` enabled, the number of steps up the directories that can be read is limited to 3 levels. This issue has been patched in version 3.3.7. Users unable to upgrade should ensure that MessageBus::Diagnostics is disabled.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Vulnerability Title
MessageBus 路径遍历漏洞
Vulnerability Description
MessageBus是用于 Ruby 进程和 Web 客户端的可靠、健壮的消息传递总线。 MessageBus 存在路径遍历漏洞,该漏洞源于message_bus 缺少对于路径的数据的限制与过滤,部署message_bus时启用了诊断功能(默认关闭)的用户容易出现路径遍历错误,如果意外用户访问诊断路由,可能会导致机器上的秘密信息泄露。
CVSS Information
N/A
Vulnerability Type
N/A