VulnerableCode Package Details - pkg:gem/actionview@4.2.11.0

Vulnerabilities affecting this package (2)

Vulnerability	Summary	Fixed by
VCID-8dad-dvat-1fg4 Aliases: CVE-2019-5418 GHSA-86g5-2wh3-gc9j	Path Traversal in Action View # File Content Disclosure in Action View Impact ------ There is a possible file content disclosure vulnerability in Action View. Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents. The impact is limited to calls to `render` which render file contents without a specified accept format. Impacted code in a controller looks something like this: ``` ruby class UserController < ApplicationController def index render file: "#{Rails.root}/some/file" end end ``` Rendering templates as opposed to files is not impacted by this vulnerability. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are available at the normal locations. Workarounds ----------- This vulnerability can be mitigated by specifying a format for file rendering, like this: ``` ruby class UserController < ApplicationController def index render file: "#{Rails.root}/some/file", formats: [:html] end end ``` In summary, impacted calls to `render` look like this: ``` render file: "#{Rails.root}/some/file" ``` The vulnerability can be mitigated by changing to this: ``` render file: "#{Rails.root}/some/file", formats: [:html] ``` Other calls to `render` are not impacted. Alternatively, the following monkey patch can be applied in an initializer: ``` ruby $ cat config/initializers/formats_filter.rb # frozen_string_literal: true ActionDispatch::Request.prepend(Module.new do def formats super().select do \|format\| format.symbol \|\| format.ref == "/" end end end) ``` Credits ------- Thanks to John Hawthorn <john@hawthorn.email> of GitHub	4.2.11.1 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.0.0.beta1 Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.0.7.2 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.1.0.beta1 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.1.6.2 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.2.0.beta1 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.2.2.1 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 6.0.0.beta1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-c8b5-d83n-nuhw Aliases: CVE-2019-5419 GHSA-m63j-wh5w-c252	Allocation of Resources Without Limits or Throttling There is a possible denial of service vulnerability in Action View (Rails) where specially crafted accept headers can cause action view to consume % cpu and make the server unresponsive.	4.2.11.1 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.0.7.2 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.1.6.2 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.2.2.1 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 6.0.0.beta3 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-8dad-dvat-1fg4
Aliases:
CVE-2019-5418
GHSA-86g5-2wh3-gc9j

Path Traversal in Action View # File Content Disclosure in Action View Impact ------ There is a possible file content disclosure vulnerability in Action View. Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents. The impact is limited to calls to `render` which render file contents without a specified accept format. Impacted code in a controller looks something like this: ``` ruby class UserController < ApplicationController def index render file: "#{Rails.root}/some/file" end end ``` Rendering templates as opposed to files is not impacted by this vulnerability. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are available at the normal locations. Workarounds ----------- This vulnerability can be mitigated by specifying a format for file rendering, like this: ``` ruby class UserController < ApplicationController def index render file: "#{Rails.root}/some/file", formats: [:html] end end ``` In summary, impacted calls to `render` look like this: ``` render file: "#{Rails.root}/some/file" ``` The vulnerability can be mitigated by changing to this: ``` render file: "#{Rails.root}/some/file", formats: [:html] ``` Other calls to `render` are not impacted. Alternatively, the following monkey patch can be applied in an initializer: ``` ruby $ cat config/initializers/formats_filter.rb # frozen_string_literal: true ActionDispatch::Request.prepend(Module.new do def formats super().select do |format| format.symbol || format.ref == "*/*" end end end) ``` Credits ------- Thanks to John Hawthorn <john@hawthorn.email> of GitHub

4.2.11.1
Affected by 5 other vulnerabilities.

5.0.0.beta1
Affected by 7 other vulnerabilities.

5.0.7.2
Affected by 4 other vulnerabilities.

5.1.0.beta1
Affected by 5 other vulnerabilities.

5.1.6.2
Affected by 5 other vulnerabilities.

5.2.0.beta1
Affected by 5 other vulnerabilities.

5.2.2.1
Affected by 5 other vulnerabilities.

6.0.0.beta1
Affected by 3 other vulnerabilities.

VCID-c8b5-d83n-nuhw
Aliases:
CVE-2019-5419
GHSA-m63j-wh5w-c252

Allocation of Resources Without Limits or Throttling There is a possible denial of service vulnerability in Action View (Rails) where specially crafted accept headers can cause action view to consume % cpu and make the server unresponsive.

4.2.11.1
Affected by 5 other vulnerabilities.

5.0.7.2
Affected by 4 other vulnerabilities.

5.1.6.2
Affected by 5 other vulnerabilities.

5.2.2.1
Affected by 5 other vulnerabilities.

6.0.0.beta3
Affected by 2 other vulnerabilities.

purl	pkg:gem/actionview@4.2.11.0
Tags	Ghost

Next non-vulnerable version	6.1.7.3
Latest non-vulnerable version	8.1.2.1
Risk	10.0

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T15:57:21.782992+00:00	GHSA Importer	Affected by	VCID-8dad-dvat-1fg4	https://github.com/advisories/GHSA-86g5-2wh3-gc9j	38.0.0
2026-04-01T15:57:21.543087+00:00	GHSA Importer	Affected by	VCID-c8b5-d83n-nuhw	https://github.com/advisories/GHSA-m63j-wh5w-c252	38.0.0