Ruby on Rails versions 3.2.18, 4.0.5 and 4.1.1 are available for download. The updates address a serious vulnerability so users are advised to update their installations as soon as possible.
The vulnerability has been assigned the CVE identifier CVE-2014-0130 and it affects all supported versions of Ruby on Rails. It impacts the “implicit render” functionality which allows controllers to render a template even if there’s no explicit action with the correspondent name.
Because the module doesn’t perform proper input sanitization, an attacker could use a specially crafted request to retrieve arbitrary files from the Rails application server.
“In order to be vulnerable an application must specifically use globbing routes in combination with the :action parameter,” reads the advisory for the security hole.
“The purpose of the route globbing feature is to allow parameters to contain characters which would otherwise be regarded as separators, for example '/' and '.'. As these characters have semantic meaning within template filenames, it is highly unlikely that applications are deliberately combining these functions.”
While users are advised to update their installations, there’s also a workaround: not using globbing matches for the ‘:action’ parameter.