Miggo Logo

CVE-2019-18978: The rack-cors rubygem may allow directory traveral

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.72685%
Published
11/15/2019
Updated
1/23/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
rack-corsrubygems< 1.0.41.0.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper path normalization before resource matching. The commit e4d4fc3 introduced a new evaluate_path function to unescape and resolve paths, then passed this sanitized path to process_preflight, process_cors, and match_resource. Prior to this fix, these functions used the raw env[PATH_INFO] value, which could contain unescaped '../' sequences. The lack of canonicalization in match_resource (which performed the actual resource matching) allowed attackers to bypass access controls. The high confidence comes from the explicit patch changes showing these functions were modified to accept sanitized paths, and test cases added to verify path traversal prevention.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in t** r**k-*ors (*k* R**k *ORS Mi**l*w*r*) **m ***or* *.*.* *or Ru*y. It *llows ../ *ir**tory tr*v*rs*l to ****ss priv*t* r*sour**s ****us* r*sour** m*t**in* *o*s not *nsur* t**t p*t*n*m*s *r* in * **noni**l *orm*t.

Reasoning

T** vuln*r**ility st*ms *rom improp*r p*t* norm*liz*tion ***or* r*sour** m*t**in*. T** *ommit ******* intro*u*** * n*w *v*lu*t*_p*t* *un*tion to un*s**p* *n* r*solv* p*t*s, t**n p*ss** t*is s*nitiz** p*t* to pro**ss_pr**li**t, pro**ss_*ors, *n* m*t**