CVE-2021-43840

Path traversal in message_bus

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

message_bus is a messaging bus for Ruby processes and web clients. In versions prior to 3.3.7 users who deployed message bus with diagnostics features enabled (default off) are vulnerable to a path traversal bug, which could lead to disclosure of secret information on a machine if an unintended user were to gain access to the diagnostic route. The impact is also greater if there is no proxy for your web application as the number of steps up the directories is not bounded. For deployments which uses a proxy, the impact varies. For example, If a request goes through a proxy like Nginx with `merge_slashes` enabled, the number of steps up the directories that can be read is limited to 3 levels. This issue has been patched in version 3.3.7. Users unable to upgrade should ensure that MessageBus::Diagnostics is disabled.

message_bus es un bus de mensajería para procesos Ruby y clientes web. En las versiones anteriores a 3.3.7, los usuarios que desplegaron el bus de mensajes con las características de diagnóstico habilitadas (por defecto deshabilitadas) son vulnerables a un bug de salto de ruta, que podría conllevar a una revelación de información secreta en una máquina si un usuario no intencionado accediera a la ruta de diagnóstico. El impacto también es mayor si no se presenta un proxy para su aplicación web, ya que el número de pasos por los directorios no está limitado. Para las implementaciones que usan un proxy, el impacto varía. Por ejemplo, si una petición pasa por un proxy como Nginx con "merge_slashes" habilitado, el número de pasos hacia arriba en los directorios que pueden ser leídos está limitado a 3 niveles. Este problema ha sido parcheado en la versión 3.3.7. Los usuarios que no puedan actualizarse deberán asegurarse de que MessageBus::Diagnostics está deshabilitado

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-11-16 CVE Reserved
2021-12-17 CVE Published
2023-07-10 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC

References (2)

URL	Tag	Source
https://github.com/discourse/message_bus/security/advisories/GHSA-xmgj-5fh3-xjmm	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/discourse/message_bus/commit/9b6deee01ed474c7e9b5ff65a06bb0447b4db2ba	2021-12-29

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Discourse Search vendor "Discourse"		Message Bus Search vendor "Discourse" for product "Message Bus"				< 3.3.7 Search vendor "Discourse" for product "Message Bus" and version " < 3.3.7"		ruby		Affected