High severity7.5CISA KEVNVD Advisory· Published Feb 16, 2016· Updated Apr 22, 2026

CVE-2016-0752

Description

Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
actionviewRubyGems	>= 4.0.0, < 4.1.14.1	4.1.14.1
actionviewRubyGems	>= 4.2.0, < 4.2.5.1	4.2.5.1
actionpackRubyGems	>= 4.0.0, < 4.1.14.1	4.1.14.1
actionpackRubyGems	>= 4.2.0, < 4.2.5.1	4.2.5.1
actionpackRubyGems	< 3.2.22.1	3.2.22.1

Affected products

Red Hat/Software Collections
cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*
Rubyonrails/Rails2 versions
cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*range: <3.2.22.1
- cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*
Debian/Debian Linux
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
OpenSUSE/Leap
cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*
OpenSUSE/openSUSE
cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
SUSE S.A./Linux Enterprise Module For Containers
cpe:2.3:o:suse:linux_enterprise_module_for_containers:12:*:*:*:*:*:*:*

Patches

8d86637fb64a

https://github.com/rails/railsvia osv

31ab3aa0e881

https://github.com/rails/railsvia osv

bb382b7aee11

https://github.com/rails/railsvia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www.openwall.com/lists/oss-security/2016/01/25/13nvdExploitMailing ListWEB
www.exploit-db.com/exploits/40561/nvdExploitThird Party AdvisoryVDB Entry
lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.htmlnvdMailing ListThird Party AdvisoryWEB
lists.opensuse.org/opensuse-updates/2016-02/msg00034.htmlnvdMailing ListThird Party AdvisoryWEB
lists.opensuse.org/opensuse-updates/2016-02/msg00043.htmlnvdMailing ListThird Party AdvisoryWEB
rhn.redhat.com/errata/RHSA-2016-0296.htmlnvdThird Party AdvisoryWEB
www.debian.org/security/2016/dsa-3464nvdMailing ListThird Party AdvisoryWEB
www.securityfocus.com/bid/81801nvdBroken LinkThird Party AdvisoryVDB EntryWEB
www.securitytracker.com/id/1034816nvdBroken LinkThird Party AdvisoryVDB EntryWEB
github.com/advisories/GHSA-xrr4-p6fq-hjg7ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2016-0752ghsaADVISORY
lists.fedoraproject.org/pipermail/package-announce/2016-February/178044.htmlnvdPermissions RequiredWEB
lists.fedoraproject.org/pipermail/package-announce/2016-February/178069.htmlnvdPermissions RequiredWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-0752.ymlghsaWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2016-0752.ymlghsaWEB
groups.google.com/forum/ghsaWEB
groups.google.com/forum/message/rawnvdBroken LinkWEB
web.archive.org/web/20210618005620/https://groups.google.com/forum/message/rawghsaWEB
web.archive.org/web/20210621170450/http://www.securityfocus.com/bid/81801ghsaWEB
web.archive.org/web/20210723192420/http://www.securitytracker.com/id/1034816ghsaWEB
www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government ResourceWEB
www.exploit-db.com/exploits/40561ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.073
exploit	0.030
kev	0.120
patch	-0.070
ransomware	0.000