-
-
Notifications
You must be signed in to change notification settings - Fork 231
Expand file tree
/
Copy pathCVE-2026-33195.yml
More file actions
33 lines (32 loc) · 1.4 KB
/
CVE-2026-33195.yml
File metadata and controls
33 lines (32 loc) · 1.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
---
gem: activestorage
framework: rails
cve: 2026-33195
ghsa: 9xrj-h377-fr87
url: https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87
title: Rails Active Storage has possible Path Traversal in DiskService
date: 2026-03-23
description: |
### Impact
Active Storage's `DiskService#path_for` does not validate that the
resolved filesystem path remains within the storage root directory.
If a blob key containing path traversal sequences (e.g. `../`) is used,
it could allow reading, writing, or deleting arbitrary files on the server.
Blob keys are expected to be trusted strings,
but some applications could be passing user input as keys and would be affected.
### Releases
The fixed releases are available at the normal locations.
patched_versions:
- "~> 7.2.3, >= 7.2.3.1"
- "~> 8.0.4, >= 8.0.4.1"
- ">= 8.1.2.1"
related:
url:
- https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87
- https://github.com/rails/rails/commit/4933c1e3b8c1bb04925d60347be9f69270392f2c
- https://github.com/rails/rails/commit/9b06fbc0f504b8afe333f33d19548f3b85fbe655
- https://github.com/rails/rails/commit/a290c8a1ec189d793aa6d7f2570b6a763f675348
- https://github.com/rails/rails/releases/tag/v7.2.3.1
- https://github.com/rails/rails/releases/tag/v8.0.4.1
- https://github.com/rails/rails/releases/tag/v8.1.2.1
- https://github.com/advisories/GHSA-9xrj-h377-fr87