Medium severity5.3NVD Advisory· Published Apr 7, 2016· Updated May 6, 2026
CVE-2016-2097
CVE-2016-2097
Description
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
actionviewRubyGems | >= 3.0.0, < 3.2.22.2 | 3.2.22.2 |
actionviewRubyGems | >= 4.0.0, < 4.1.14.2 | 4.1.14.2 |
actionpackRubyGems | >= 3.0.0, < 3.2.22.2 | 3.2.22.2 |
actionpackRubyGems | >= 4.0.0, < 4.1.14.2 | 4.1.14.2 |
Affected products
51cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*+ 48 more
- cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*range: <=3.2.22.1
- cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.14.1:*:*:*:*:*:*:*
Patches
18a1d3ea617ffhttps://github.com/rails/railsvia ghsa
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
18- weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/nvdPatchVendor Advisory
- github.com/advisories/GHSA-vx9j-46rh-fqr8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-2097ghsaADVISORY
- lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.htmlnvdWEB
- lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.htmlnvdWEB
- lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.htmlnvdWEB
- weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-releasedghsaWEB
- www.debian.org/security/2016/dsa-3509nvdWEB
- github.com/rails/rails/commit/8a1d3ea617ffb0c8ae8467fa439bf63a3bfc4324ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-2097.ymlghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2016-2097.ymlghsaWEB
- groups.google.com/forum/ghsaWEB
- web.archive.org/web/20160322002234/http://www.securitytracker.com/id/1035122ghsaWEB
- web.archive.org/web/20200228015320/http://www.securityfocus.com/bid/83726ghsaWEB
- web.archive.org/web/20201221115217/https://groups.google.com/forum/message/rawghsaWEB
- www.securityfocus.com/bid/83726nvd
- www.securitytracker.com/id/1035122nvd
- groups.google.com/forum/message/rawnvd
News mentions
0No linked articles in our index yet.