High severity7.5NVD Advisory· Published Jun 26, 2018· Updated Jun 17, 2026
CVE-2018-3760
CVE-2018-3760
Description
There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application's root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sprocketsRubyGems | >= 3.0.0, < 3.7.2 | 3.7.2 |
sprocketsRubyGems | >= 4.0.0.beta1, < 4.0.0.beta8 | 4.0.0.beta8 |
sprocketsRubyGems | < 2.12.5 | 2.12.5 |
Affected products
22- ghsa-coords21 versionspkg:gem/sprocketspkg:rpm/opensuse/ruby3.2-rubygem-sprockets-3.7&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ruby3.2-rubygem-sprockets&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/rubygem-sprockets-3.7&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/rubygem-sprockets&distro=openSUSE%20Tumbleweedpkg:rpm/suse/crowbar-core&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/crowbar-core&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/crowbar-core&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/crowbar&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/crowbar&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/crowbar&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/crowbar-ha&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/crowbar-ha&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/crowbar-init&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/crowbar-ui&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/crowbar-ui&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/rubygem-sprockets-2_12&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/rubygem-sprockets-2_12&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/rubygem-sprockets&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015
>= 3.0.0, < 3.7.2+ 20 more
- (no CPE)range: >= 3.0.0, < 3.7.2
- (no CPE)range: < 3.7.2-1.20
- (no CPE)range: < 4.1.1-1.6
- (no CPE)range: < 3.7.3-1.1
- (no CPE)range: < 4.0.3-1.1
- (no CPE)range: < 4.0+git.1534246408.3ab19c567-9.33.1
- (no CPE)range: < 4.0+git.1534246408.3ab19c567-9.33.1
- (no CPE)range: < 5.0+git.1533887407.6e9b0412d-3.8.2
- (no CPE)range: < 4.0+git.1528801103.f5708341-7.20.1
- (no CPE)range: < 4.0+git.1528801103.f5708341-7.20.1
- (no CPE)range: < 5.0+git.1528696845.81a7b5d0-3.3.1
- (no CPE)range: < 4.0+git.1533750802.5768e73-4.34.1
- (no CPE)range: < 5.0+git.1530177874.35b9099-3.3.1
- (no CPE)range: < 5.0+git.1520420379.d5bbb35-3.3.1
- (no CPE)range: < 4.0+git.1534254269.ce598a9fe-9.39.1
- (no CPE)range: < 5.0+git.1534167599.d325ef804-4.8.2
- (no CPE)range: < 1.1.0+git.1533844061.4ac8e723-4.3.1
- (no CPE)range: < 1.2.0+git.1533844061.4ac8e723-3.3.1
- (no CPE)range: < 2.12.5-1.3.1
- (no CPE)range: < 2.12.5-1.4.1
- (no CPE)range: < 3.7.2-3.3.1
- HackerOne/Sprocketsv5Range: 4.0.0.beta8, 3.7.2, 2.12.5
Patches
Vulnerability mechanics
References
12- groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJnvdPatchThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:2244nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:2245nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:2561nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:2745nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-pr3h-jjhj-573xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-3760ghsaADVISORY
- www.debian.org/security/2018/dsa-4242nvdThird Party AdvisoryWEB
- github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5ghsaWEB
- github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441ghsaWEB
- github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5fghsaWEB
- github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5fhttps://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5nvdBroken Link
News mentions
0No linked articles in our index yet.