CVE-2018-16477 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2018-16477 Interim 1 5 2021-12-09T01:48:58Z current 2021-05-30T14:16:33Z 2021-12-09T01:48:58Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2018-16477 A bypass vulnerability in Active Storage >= 5.2.0 for Google Cloud Storage and Disk services allow an attacker to modify the `content-disposition` and `content-type` parameters which can be used in with HTML files and have them executed inline. Additionally, if combined with other techniques such as cookie bombing and specially crafted AppCache manifests, an attacker can gain access to private signed URLs within a specific storage path. This vulnerability has been fixed in version 5.2.1.1. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Tumbleweed ruby2.7-rubygem-activestorage-5.2-5.2.6-1.2 ruby2.7-rubygem-rails-5.2-5.2.6-1.2 ruby3.0-rubygem-activestorage-5.2-5.2.6-1.2 ruby3.0-rubygem-rails-5.2-5.2.6-1.2 ruby2.7-rubygem-activestorage-5.2-5.2.6-1.2 as a component of openSUSE Tumbleweed ruby2.7-rubygem-rails-5.2-5.2.6-1.2 as a component of openSUSE Tumbleweed ruby3.0-rubygem-activestorage-5.2-5.2.6-1.2 as a component of openSUSE Tumbleweed ruby3.0-rubygem-rails-5.2-5.2.6-1.2 as a component of openSUSE Tumbleweed A bypass vulnerability in Active Storage >= 5.2.0 for Google Cloud Storage and Disk services allow an attacker to modify the `content-disposition` and `content-type` parameters which can be used in with HTML files and have them executed inline. Additionally, if combined with other techniques such as cookie bombing and specially crafted AppCache manifests, an attacker can gain access to private signed URLs within a specific storage path. This vulnerability has been fixed in version 5.2.1.1. CVE-2018-16477 openSUSE Tumbleweed:ruby2.7-rubygem-activestorage-5.2-5.2.6-1.2 openSUSE Tumbleweed:ruby2.7-rubygem-rails-5.2-5.2.6-1.2 openSUSE Tumbleweed:ruby3.0-rubygem-activestorage-5.2-5.2.6-1.2 openSUSE Tumbleweed:ruby3.0-rubygem-rails-5.2-5.2.6-1.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N