GSD-2021-43840

Vulnerability from gsd - Updated: 2021-12-17 00:00
Details
### Impact Users who deployed message bus with diagnostics features enabled (default off) were vulnerable to a path traversal bug, which could lead to disclosure of secret information on a machine if an unintended user were to gain access to the diagnostic route. The impact is also greater if there is no proxy for your web application as the number of steps up the directories is not bounded. For deployments which uses a proxy, the impact varies. For example, If a request goes through a proxy like Nginx with `merge_slashes` enabled, the number of steps up the directories that can be read is limited to 3 levels. ### Workarounds Disable MessageBus::Diagnostics in production like environments.
Aliases
Aliases
CVE-2021-43840
To clipboard 

{
  "GSD": {
    "alias": "CVE-2021-43840",
    "description": "message_bus is a messaging bus for Ruby processes and web clients. In versions prior to 3.3.7 users who deployed message bus with diagnostics features enabled (default off) are vulnerable to a path traversal bug, which could lead to disclosure of secret information on a machine if an unintended user were to gain access to the diagnostic route. The impact is also greater if there is no proxy for your web application as the number of steps up the directories is not bounded. For deployments which uses a proxy, the impact varies. For example, If a request goes through a proxy like Nginx with `merge_slashes` enabled, the number of steps up the directories that can be read is limited to 3 levels. This issue has been patched in version 3.3.7. Users unable to upgrade should ensure that MessageBus::Diagnostics is disabled.",
    "id": "GSD-2021-43840"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "message_bus",
            "purl": "pkg:gem/message_bus"
          }
        }
      ],
      "aliases": [
        "CVE-2021-43840",
        "GHSA-xmgj-5fh3-xjmm"
      ],
      "details": "### Impact\n\nUsers who deployed message bus with diagnostics features enabled (default off) were\nvulnerable to a path traversal bug, which could lead to disclosure of secret\ninformation on a machine if an unintended user were to gain access to the diagnostic\nroute. The impact is also greater if there is no proxy for your web application as\nthe number of steps up the directories is not bounded. For deployments which uses a\nproxy, the impact varies. For example, If a request goes through a proxy like Nginx\nwith `merge_slashes` enabled, the number of steps up the directories that can be\nread is limited to 3 levels.\n\n### Workarounds\n\nDisable MessageBus::Diagnostics in production like environments.\n",
      "id": "GSD-2021-43840",
      "modified": "2021-12-17T00:00:00.000Z",
      "published": "2021-12-17T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/discourse/message_bus/security/advisories/GHSA-xmgj-5fh3-xjmm"
        },
        {
          "type": "WEB",
          "url": "https://github.com/discourse/message_bus/commit/9b6deee01ed474c7e9b5ff65a06bb0447b4db2ba"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 4.2,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Path traversal when MessageBus::Diagnostics is enabled"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-43840",
        "STATE": "PUBLIC",
        "TITLE": "Path traversal in message_bus"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "message_bus",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 3.3.7"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "discourse"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "message_bus is a messaging bus for Ruby processes and web clients. In versions prior to 3.3.7 users who deployed message bus with diagnostics features enabled (default off) are vulnerable to a path traversal bug, which could lead to disclosure of secret information on a machine if an unintended user were to gain access to the diagnostic route. The impact is also greater if there is no proxy for your web application as the number of steps up the directories is not bounded. For deployments which uses a proxy, the impact varies. For example, If a request goes through a proxy like Nginx with `merge_slashes` enabled, the number of steps up the directories that can be read is limited to 3 levels. This issue has been patched in version 3.3.7. Users unable to upgrade should ensure that MessageBus::Diagnostics is disabled."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/discourse/message_bus/security/advisories/GHSA-xmgj-5fh3-xjmm",
            "refsource": "CONFIRM",
            "url": "https://github.com/discourse/message_bus/security/advisories/GHSA-xmgj-5fh3-xjmm"
          },
          {
            "name": "https://github.com/discourse/message_bus/commit/9b6deee01ed474c7e9b5ff65a06bb0447b4db2ba",
            "refsource": "MISC",
            "url": "https://github.com/discourse/message_bus/commit/9b6deee01ed474c7e9b5ff65a06bb0447b4db2ba"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-xmgj-5fh3-xjmm",
        "discovery": "UNKNOWN"
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2021-43840",
      "cvss_v3": 4.2,
      "date": "2021-12-17",
      "description": "### Impact\n\nUsers who deployed message bus with diagnostics features enabled (default off) were\nvulnerable to a path traversal bug, which could lead to disclosure of secret\ninformation on a machine if an unintended user were to gain access to the diagnostic\nroute. The impact is also greater if there is no proxy for your web application as\nthe number of steps up the directories is not bounded. For deployments which uses a\nproxy, the impact varies. For example, If a request goes through a proxy like Nginx\nwith `merge_slashes` enabled, the number of steps up the directories that can be\nread is limited to 3 levels.\n\n### Workarounds\n\nDisable MessageBus::Diagnostics in production like environments.\n",
      "gem": "message_bus",
      "ghsa": "xmgj-5fh3-xjmm",
      "patched_versions": [
        "\u003e= 3.3.7"
      ],
      "related": {
        "url": [
          "https://github.com/discourse/message_bus/commit/9b6deee01ed474c7e9b5ff65a06bb0447b4db2ba"
        ]
      },
      "title": "Path traversal when MessageBus::Diagnostics is enabled",
      "url": "https://github.com/discourse/message_bus/security/advisories/GHSA-xmgj-5fh3-xjmm"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c3.3.7",
          "affected_versions": "All versions before 3.3.7",
          "cvss_v2": "AV:N/AC:M/Au:S/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-22",
            "CWE-937"
          ],
          "date": "2021-12-29",
          "description": "message_bus is a messaging bus for Ruby processes and web clients. users who deployed message bus with diagnostics features enabled (default off) is vulnerable to a path traversal bug, which could lead to disclosure of secret information on a machine if an unintended user were to gain access to the diagnostic route. The impact is also greater if there is no proxy for your web application as the number of steps up the directories is not bounded. For deployments which uses a proxy, the impact varies. For example, If a request goes through a proxy like Nginx with `merge_slashes` enabled, the number of steps up the directories that can be read is limited to 3 levels. This issue has been patched Users unable to upgrade should ensure that MessageBus::Diagnostics is disabled.",
          "fixed_versions": [
            "3.3.7"
          ],
          "identifier": "CVE-2021-43840",
          "identifiers": [
            "CVE-2021-43840",
            "GHSA-xmgj-5fh3-xjmm"
          ],
          "not_impacted": "All versions starting from 3.3.7",
          "package_slug": "gem/message_bus",
          "pubdate": "2021-12-17",
          "solution": "Upgrade to version 3.3.7 or above.",
          "title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-43840",
            "https://github.com/discourse/message_bus/security/advisories/GHSA-xmgj-5fh3-xjmm",
            "https://github.com/discourse/message_bus/commit/9b6deee01ed474c7e9b5ff65a06bb0447b4db2ba"
          ],
          "uuid": "1a9b5336-afb7-44e4-b3f1-2a43da25ca54"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:discourse:message_bus:*:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.3.7",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-43840"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "message_bus is a messaging bus for Ruby processes and web clients. In versions prior to 3.3.7 users who deployed message bus with diagnostics features enabled (default off) are vulnerable to a path traversal bug, which could lead to disclosure of secret information on a machine if an unintended user were to gain access to the diagnostic route. The impact is also greater if there is no proxy for your web application as the number of steps up the directories is not bounded. For deployments which uses a proxy, the impact varies. For example, If a request goes through a proxy like Nginx with `merge_slashes` enabled, the number of steps up the directories that can be read is limited to 3 levels. This issue has been patched in version 3.3.7. Users unable to upgrade should ensure that MessageBus::Diagnostics is disabled."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-22"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/discourse/message_bus/security/advisories/GHSA-xmgj-5fh3-xjmm",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/discourse/message_bus/security/advisories/GHSA-xmgj-5fh3-xjmm"
            },
            {
              "name": "https://github.com/discourse/message_bus/commit/9b6deee01ed474c7e9b5ff65a06bb0447b4db2ba",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/discourse/message_bus/commit/9b6deee01ed474c7e9b5ff65a06bb0447b4db2ba"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 6.8,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2021-12-29T18:39Z",
      "publishedDate": "2021-12-17T19:15Z"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.