CVE-2021-43840: Path traversal when MessageBus::Diagnostics is enabled
4.2
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.45977%
CWE
Published
12/17/2021
Updated
5/4/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
message_bus | rubygems | < 3.3.7 | 3.3.7 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from improper path sanitization in the diagnostics asset handling. The pre-patch code in diagnostics.rb used a regex to check if the asset path contained slashes, but this didn't prevent directory traversal sequences. The commit fixed this by implementing an explicit allowlist (JS_ASSETS) of permitted files. The vulnerable function is the request handler (call method) where asset path validation occurred, as it previously allowed any asset without slashes (which could be manipulated via encoded traversal sequences). The added test case '/message-bus/_diagnostics/assets/../Gemfile' in the spec confirms this was the attack vector.