Miggo Logo

CVE-2021-43840: Path traversal when MessageBus::Diagnostics is enabled

4.2

CVSS Score
3.1

Basic Information

EPSS Score
0.45977%
Published
12/17/2021
Updated
5/4/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
message_busrubygems< 3.3.73.3.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper path sanitization in the diagnostics asset handling. The pre-patch code in diagnostics.rb used a regex to check if the asset path contained slashes, but this didn't prevent directory traversal sequences. The commit fixed this by implementing an explicit allowlist (JS_ASSETS) of permitted files. The vulnerable function is the request handler (call method) where asset path validation occurred, as it previously allowed any asset without slashes (which could be manipulated via encoded traversal sequences). The added test case '/message-bus/_diagnostics/assets/../Gemfile' in the spec confirms this was the attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Us*rs w*o **ploy** m*ss*** *us wit* *i**nosti*s ***tur*s *n**l** (****ult o**) w*r* vuln*r**l* to * p*t* tr*v*rs*l *u*, w*i** *oul* l*** to *is*losur* o* s**r*t in*orm*tion on * m***in* i* *n unint*n*** us*r w*r* to **in ****ss to t** *i*

Reasoning

T** vuln*r**ility st*mm** *rom improp*r p*t* s*nitiz*tion in t** *i**nosti*s *ss*t **n*lin*. T** pr*-p*t** *o** in *i**nosti*s.r* us** * r***x to ****k i* t** *ss*t p*t* *ont*in** sl*s**s, *ut t*is *i*n't pr*v*nt *ir**tory tr*v*rs*l s*qu*n**s. T** *o