{"containers": {"cna": {"affected": [{"product": "message_bus", "vendor": "discourse", "versions": [{"status": "affected", "version": "< 3.3.7"}]}], "descriptions": [{"lang": "en", "value": "message_bus is a messaging bus for Ruby processes and web clients. In versions prior to 3.3.7 users who deployed message bus with diagnostics features enabled (default off) are vulnerable to a path traversal bug, which could lead to disclosure of secret information on a machine if an unintended user were to gain access to the diagnostic route. The impact is also greater if there is no proxy for your web application as the number of steps up the directories is not bounded. For deployments which uses a proxy, the impact varies. For example, If a request goes through a proxy like Nginx with `merge_slashes` enabled, the number of steps up the directories that can be read is limited to 3 levels. This issue has been patched in version 3.3.7. Users unable to upgrade should ensure that MessageBus::Diagnostics is disabled."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-12-17T18:15:11.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/message_bus/security/advisories/GHSA-xmgj-5fh3-xjmm"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/message_bus/commit/9b6deee01ed474c7e9b5ff65a06bb0447b4db2ba"}], "source": {"advisory": "GHSA-xmgj-5fh3-xjmm", "discovery": "UNKNOWN"}, "title": "Path traversal in message_bus", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-43840", "STATE": "PUBLIC", "TITLE": "Path traversal in message_bus"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "message_bus", "version": {"version_data": [{"version_value": "< 3.3.7"}]}}]}, "vendor_name": "discourse"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "message_bus is a messaging bus for Ruby processes and web clients. In versions prior to 3.3.7 users who deployed message bus with diagnostics features enabled (default off) are vulnerable to a path traversal bug, which could lead to disclosure of secret information on a machine if an unintended user were to gain access to the diagnostic route. The impact is also greater if there is no proxy for your web application as the number of steps up the directories is not bounded. For deployments which uses a proxy, the impact varies. For example, If a request goes through a proxy like Nginx with `merge_slashes` enabled, the number of steps up the directories that can be read is limited to 3 levels. This issue has been patched in version 3.3.7. Users unable to upgrade should ensure that MessageBus::Diagnostics is disabled."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/discourse/message_bus/security/advisories/GHSA-xmgj-5fh3-xjmm", "refsource": "CONFIRM", "url": "https://github.com/discourse/message_bus/security/advisories/GHSA-xmgj-5fh3-xjmm"}, {"name": "https://github.com/discourse/message_bus/commit/9b6deee01ed474c7e9b5ff65a06bb0447b4db2ba", "refsource": "MISC", "url": "https://github.com/discourse/message_bus/commit/9b6deee01ed474c7e9b5ff65a06bb0447b4db2ba"}]}, "source": {"advisory": "GHSA-xmgj-5fh3-xjmm", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:10:16.823Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/discourse/message_bus/security/advisories/GHSA-xmgj-5fh3-xjmm"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/discourse/message_bus/commit/9b6deee01ed474c7e9b5ff65a06bb0447b4db2ba"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-43840", "datePublished": "2021-12-17T18:15:11.000Z", "dateReserved": "2021-11-16T00:00:00.000Z", "dateUpdated": "2024-08-04T04:10:16.823Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:discourse:message_bus:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "1BFAB388-520F-4B06-8DC0-2F6821BA0898", "versionEndExcluding": "3.3.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "message_bus is a messaging bus for Ruby processes and web clients. In versions prior to 3.3.7 users who deployed message bus with diagnostics features enabled (default off) are vulnerable to a path traversal bug, which could lead to disclosure of secret information on a machine if an unintended user were to gain access to the diagnostic route. The impact is also greater if there is no proxy for your web application as the number of steps up the directories is not bounded. For deployments which uses a proxy, the impact varies. For example, If a request goes through a proxy like Nginx with `merge_slashes` enabled, the number of steps up the directories that can be read is limited to 3 levels. This issue has been patched in version 3.3.7. Users unable to upgrade should ensure that MessageBus::Diagnostics is disabled."}, {"lang": "es", "value": "message_bus es un bus de mensajer\u00eda para procesos Ruby y clientes web. En las versiones anteriores a 3.3.7, los usuarios que desplegaron el bus de mensajes con las caracter\u00edsticas de diagn\u00f3stico habilitadas (por defecto deshabilitadas) son vulnerables a un bug de salto de ruta, que podr\u00eda conllevar a una revelaci\u00f3n de informaci\u00f3n secreta en una m\u00e1quina si un usuario no intencionado accediera a la ruta de diagn\u00f3stico. El impacto tambi\u00e9n es mayor si no se presenta un proxy para su aplicaci\u00f3n web, ya que el n\u00famero de pasos por los directorios no est\u00e1 limitado. Para las implementaciones que usan un proxy, el impacto var\u00eda. Por ejemplo, si una petici\u00f3n pasa por un proxy como Nginx con \"merge_slashes\" habilitado, el n\u00famero de pasos hacia arriba en los directorios que pueden ser le\u00eddos est\u00e1 limitado a 3 niveles. Este problema ha sido parcheado en la versi\u00f3n 3.3.7. Los usuarios que no puedan actualizarse deber\u00e1n asegurarse de que MessageBus::Diagnostics est\u00e1 deshabilitado"}], "id": "CVE-2021-43840", "lastModified": "2024-11-21T06:29:54.360", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-12-17T19:15:07.757", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/discourse/message_bus/commit/9b6deee01ed474c7e9b5ff65a06bb0447b4db2ba"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/discourse/message_bus/security/advisories/GHSA-xmgj-5fh3-xjmm"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/discourse/message_bus/commit/9b6deee01ed474c7e9b5ff65a06bb0447b4db2ba"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/discourse/message_bus/security/advisories/GHSA-xmgj-5fh3-xjmm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}