CVE-2019-5418

Description

There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed.

Reserved 2019-01-04 | Published 2019-03-27 | Updated 2025-07-07 | Assigner hackerone

CISA Known Exploited Vulnerability

Date added 2025-07-07 | Due date 2025-07-28

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Problem types

Path Traversal (CWE-22)

Product status

5.2.2.1
affected

5.1.6.2
affected

5.0.7.2
affected

4.2.11.1
affected

References

www.exploit-db.com/exploits/46585/ (46585) exploit

packetstormsecurity.com/...rary-File-Content-Disclosure.html

www.openwall.com/lists/oss-security/2019/03/22/1 ([oss-security] 20190322 [CVE-2019-5418] Amendment: Possible Remote Code Execution Exploit in Action View) mailing-list

weblog.rubyonrails.org/...-2-5-1-5-1-6-2-have-been-released/

groups.google.com/forum/

lists.debian.org/debian-lts-announce/2019/03/msg00042.html ([debian-lts-announce] 20190331 [SECURITY] [DLA 1739-1] rails security update) mailing-list

access.redhat.com/errata/RHSA-2019:0796 (RHSA-2019:0796) vendor-advisory

lists.opensuse.org/...ecurity-announce/2019-05/msg00011.html (openSUSE-SU-2019:1344) vendor-advisory

lists.fedoraproject.org/...Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/ (FEDORA-2019-1cfe24db5c) vendor-advisory

access.redhat.com/errata/RHSA-2019:1149 (RHSA-2019:1149) vendor-advisory

access.redhat.com/errata/RHSA-2019:1147 (RHSA-2019:1147) vendor-advisory

access.redhat.com/errata/RHSA-2019:1289 (RHSA-2019:1289) vendor-advisory

cve.org (CVE-2019-5418)

nvd.nist.gov (CVE-2019-5418)

Download JSON