Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-ns2u-nkbu-7fbp
Vulnerability ID VCID-ns2u-nkbu-7fbp
Aliases CVE-2019-5418
GHSA-86g5-2wh3-gc9j
Summary Path Traversal in Action View # File Content Disclosure in Action View Impact ------ There is a possible file content disclosure vulnerability in Action View. Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents. The impact is limited to calls to `render` which render file contents without a specified accept format. Impacted code in a controller looks something like this: ``` ruby class UserController < ApplicationController def index render file: "#{Rails.root}/some/file" end end ``` Rendering templates as opposed to files is not impacted by this vulnerability. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are available at the normal locations. Workarounds ----------- This vulnerability can be mitigated by specifying a format for file rendering, like this: ``` ruby class UserController < ApplicationController def index render file: "#{Rails.root}/some/file", formats: [:html] end end ``` In summary, impacted calls to `render` look like this: ``` render file: "#{Rails.root}/some/file" ``` The vulnerability can be mitigated by changing to this: ``` render file: "#{Rails.root}/some/file", formats: [:html] ``` Other calls to `render` are not impacted. Alternatively, the following monkey patch can be applied in an initializer: ``` ruby $ cat config/initializers/formats_filter.rb # frozen_string_literal: true ActionDispatch::Request.prepend(Module.new do def formats super().select do |format| format.symbol || format.ref == "*/*" end end end) ``` Credits ------- Thanks to John Hawthorn <john@hawthorn.email> of GitHub
Status Published
Exploitability 2.0
Weighted Severity 8.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 7.5 http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html
cvssv3.1 7.5 http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html
generic_textual HIGH http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html
ssvc Attend http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html
cvssv3.1 7.5 http://packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Content-Disclosure.html
cvssv3.1 7.5 http://packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Content-Disclosure.html
generic_textual HIGH http://packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Content-Disclosure.html
ssvc Attend http://packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Content-Disclosure.html
cvssv3.1 7.5 https://access.redhat.com/errata/RHSA-2019:0796
cvssv3.1 7.5 https://access.redhat.com/errata/RHSA-2019:0796
generic_textual HIGH https://access.redhat.com/errata/RHSA-2019:0796
ssvc Attend https://access.redhat.com/errata/RHSA-2019:0796
cvssv3.1 7.5 https://access.redhat.com/errata/RHSA-2019:1147
cvssv3.1 7.5 https://access.redhat.com/errata/RHSA-2019:1147
generic_textual HIGH https://access.redhat.com/errata/RHSA-2019:1147
ssvc Attend https://access.redhat.com/errata/RHSA-2019:1147
cvssv3.1 7.5 https://access.redhat.com/errata/RHSA-2019:1149
cvssv3.1 7.5 https://access.redhat.com/errata/RHSA-2019:1149
generic_textual HIGH https://access.redhat.com/errata/RHSA-2019:1149
ssvc Attend https://access.redhat.com/errata/RHSA-2019:1149
cvssv3.1 7.5 https://access.redhat.com/errata/RHSA-2019:1289
cvssv3.1 7.5 https://access.redhat.com/errata/RHSA-2019:1289
generic_textual HIGH https://access.redhat.com/errata/RHSA-2019:1289
ssvc Attend https://access.redhat.com/errata/RHSA-2019:1289
epss 0.94318 https://api.first.org/data/v1/epss?cve=CVE-2019-5418
cvssv3 5.9 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-86g5-2wh3-gc9j
cvssv3.1 7.5 https://groups.google.com/forum/#%21topic/rubyonrails-security/pFRKI96Sm8Q
cvssv3.1 7.5 https://groups.google.com/forum/#%21topic/rubyonrails-security/pFRKI96Sm8Q
generic_textual HIGH https://groups.google.com/forum/#%21topic/rubyonrails-security/pFRKI96Sm8Q
ssvc Attend https://groups.google.com/forum/#%21topic/rubyonrails-security/pFRKI96Sm8Q
cvssv3 7.5 https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
cvssv3.1 7.5 https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
generic_textual HIGH https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
cvssv3.1 7.5 https://groups.google.com/forum/#!topic/rubyonrails-security/zRNVOUhKHrg
generic_textual HIGH https://groups.google.com/forum/#!topic/rubyonrails-security/zRNVOUhKHrg
cvssv3.1 7.5 https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html
cvssv3.1 7.5 https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html
generic_textual HIGH https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html
ssvc Attend https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html
cvssv3.1 7.5 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA
generic_textual HIGH https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA
cvssv3.1 7.5 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/
ssvc Attend https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/
cvssv3.1 7.5 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA
generic_textual HIGH https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2019-5418
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2019-5418
cvssv3.1 7.5 https://web.archive.org/web/20190313201629/https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released
generic_textual HIGH https://web.archive.org/web/20190313201629/https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released
cvssv3.1 7.5 https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released
generic_textual HIGH https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released
cvssv3.1 7.5 https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/
ssvc Attend https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/
cvssv3.1 7.5 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-5418
generic_textual HIGH https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-5418
cvssv3.1 7.5 https://www.exploit-db.com/exploits/46585
generic_textual HIGH https://www.exploit-db.com/exploits/46585
cvssv3.1 7.5 https://www.exploit-db.com/exploits/46585/
ssvc Attend https://www.exploit-db.com/exploits/46585/
cvssv3.1 7.5 http://www.openwall.com/lists/oss-security/2019/03/22/1
cvssv3.1 7.5 http://www.openwall.com/lists/oss-security/2019/03/22/1
generic_textual HIGH http://www.openwall.com/lists/oss-security/2019/03/22/1
ssvc Attend http://www.openwall.com/lists/oss-security/2019/03/22/1
Reference id Reference type URL
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html
http://packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Content-Disclosure.html
https://access.redhat.com/errata/RHSA-2019:0796
https://access.redhat.com/errata/RHSA-2019:1147
https://access.redhat.com/errata/RHSA-2019:1149
https://access.redhat.com/errata/RHSA-2019:1289
https://api.first.org/data/v1/epss?cve=CVE-2019-5418
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://groups.google.com/forum/#%21topic/rubyonrails-security/pFRKI96Sm8Q
https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
https://groups.google.com/forum/#!topic/rubyonrails-security/zRNVOUhKHrg
https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA
https://web.archive.org/web/20190313201629/https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released
https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released
https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-5418
https://www.exploit-db.com/exploits/46585
https://www.exploit-db.com/exploits/46585/
http://www.openwall.com/lists/oss-security/2019/03/22/1
924520 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924520
CVE-2019-5418 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/46585.py
CVE-2019-5418 https://nvd.nist.gov/vuln/detail/CVE-2019-5418
GHSA-86g5-2wh3-gc9j https://github.com/advisories/GHSA-86g5-2wh3-gc9j
USN-7646-1 https://usn.ubuntu.com/7646-1/
Y43636TH4D6T46IC6N2RQVJTRFJAAYGA https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/
Data source KEV
Date added July 7, 2025
Description Rails Ruby on Rails contains a path traversal vulnerability in Action View. Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents.
Required action Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Due date July 28, 2025
Note 
https://web.archive.org/web/20190313201629/https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/ ; https://nvd.nist.gov/vuln/detail/CVE-2019-5418
Ransomware campaign use Unknown
Data source Metasploit
Description This module uses a path traversal vulnerability in Ruby on Rails versions =< 5.2.2 to read files on a target server.
Note 
AKA:
  - DoubleTap
Stability:
  - unknown-stability
Reliability:
  - unknown-reliability
SideEffects:
  - unknown-side-effects
Ransomware campaign use Unknown
Source URL https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/gather/rails_doubletap_file_read.rb
Data source Exploit-DB
Date added March 21, 2019
Description Rails 5.2.1 - Arbitrary File Content Disclosure
Ransomware campaign use Unknown
Source publication date March 21, 2019
Exploit type webapps
Platform multiple
Source update date March 21, 2019
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/ Found at http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at http://packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Content-Disclosure.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Content-Disclosure.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/ Found at http://packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Content-Disclosure.html
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2019:0796
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at https://access.redhat.com/errata/RHSA-2019:0796
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/ Found at https://access.redhat.com/errata/RHSA-2019:0796
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2019:1147
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at https://access.redhat.com/errata/RHSA-2019:1147
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/ Found at https://access.redhat.com/errata/RHSA-2019:1147
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at https://access.redhat.com/errata/RHSA-2019:1149
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2019:1149
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/ Found at https://access.redhat.com/errata/RHSA-2019:1149
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2019:1289
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at https://access.redhat.com/errata/RHSA-2019:1289
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/ Found at https://access.redhat.com/errata/RHSA-2019:1289
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://groups.google.com/forum/#%21topic/rubyonrails-security/pFRKI96Sm8Q
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at https://groups.google.com/forum/#%21topic/rubyonrails-security/pFRKI96Sm8Q
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/ Found at https://groups.google.com/forum/#%21topic/rubyonrails-security/pFRKI96Sm8Q
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at https://groups.google.com/forum/#!topic/rubyonrails-security/zRNVOUhKHrg
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/ Found at https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at https://nvd.nist.gov/vuln/detail/CVE-2019-5418
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at https://web.archive.org/web/20190313201629/https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/ Found at https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-5418
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at https://www.exploit-db.com/exploits/46585
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://www.exploit-db.com/exploits/46585/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/ Found at https://www.exploit-db.com/exploits/46585/
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H Found at http://www.openwall.com/lists/oss-security/2019/03/22/1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://www.openwall.com/lists/oss-security/2019/03/22/1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/ Found at http://www.openwall.com/lists/oss-security/2019/03/22/1
Exploit Prediction Scoring System (EPSS)
Percentile 0.99952
EPSS Score 0.94318
Published At May 30, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-30T20:54:53.197456+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/actionview/CVE-2019-5418.yml 38.6.0