Cyber Resilience

CVE-2016-0752

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 16 February 2016

Published
16 February 2016
Modified
22 April 2026
KEV Added
25 March 2022
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.9049 99.6th percentile
Risk Priority 89 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-0752 is a high-severity Path Traversal (CWE-22) vulnerability in Rubyonrails Rails. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Directory traversal vulnerability CVE-2016-0752 affects Action View in Ruby on Rails versions prior to 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1. The flaw, assigned CWE-22, permits an attacker to supply a pathname containing dot-dot sequences to the render method, resulting in disclosure of arbitrary files outside the intended view directory when an application invokes render without path restrictions.

Remote unauthenticated attackers can exploit the issue over the network by crafting requests that trigger the vulnerable render call, achieving read access to sensitive files on the server with a CVSS 3.1 score of 7.5 reflecting high confidentiality impact and low attack complexity.

Fedora and openSUSE package announcements reference the availability of updated Rails packages that address the traversal flaw, indicating that administrators should apply the respective distribution updates to reach the fixed versions.

EU & UK References

Vulnerability details

Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render…

more

method and providing a .. (dot dot) in a pathname.

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

rubyonrails
rails
5.0.0 · ≤ 3.2.22.1 · 4.0.0 — 4.1.14.1 · 4.2.0 — 4.2.5.1
opensuse
leap
42.1
opensuse
opensuse
13.2
suse
linux enterprise module for containers
12
debian
debian linux
8.0
redhat
software collections
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of pathnames supplied to render to reject dot-dot traversal sequences before file access occurs.

prevent

Mandates timely application of the Rails patches that close the unrestricted render path-traversal flaw.

prevent

Enforces that only explicitly authorized view files may be read, blocking the unauthorized file disclosure the CVE enables.

References