CVE-2018-3760

Name: CVE-2018-3760
Creator: NVD / NIST
Published: 2018-06-26T19:29:00.343+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 26.72%

Last modified Jun 17, 2026

CVE-2018-3760 is a vulnerability of currently unknown severity. There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. EPSS estimates a 26.72% chance of exploitation in the next 30 days.

Description

There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application's root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.

Metrics

EPSS Probability

26.72%

97.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions	Update
Redhat	Cloudforms	4.5	—
Redhat	Cloudforms	4.6	—
Redhat	Enterprise Linux	6.0	—
Redhat	Enterprise Linux	6.7	—
Redhat	Enterprise Linux	7.0	—
Redhat	Enterprise Linux	7.3	—
Redhat	Enterprise Linux	7.4	—
Redhat	Enterprise Linux	7.5	—
Redhat	Enterprise Linux	7.6	—
Sprockets Project	Sprockets	>= 2.0.0, <= 2.12.4	—
Sprockets Project	Sprockets	>= 3.0.0, <= 3.7.1	—
Sprockets Project	Sprockets	4.0.0	Beta1
Debian	Debian Linux	9.0	—

References

https://access.redhat.com/errata/RHSA-2018:2244Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2245Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2561Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2745Third Party Advisory
https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5fhttps://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5Broken Link
https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJPatch, Third Party Advisory
https://www.debian.org/security/2018/dsa-4242Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2244Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2245Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2561Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2745Third Party Advisory
https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5fhttps://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5Broken Link
https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJPatch, Third Party Advisory
https://www.debian.org/security/2018/dsa-4242Third Party Advisory

Timeline

Published: Jun 26, 2018
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2018-3760?

How severe is CVE-2018-3760?

Severity scoring for CVE-2018-3760 is pending analysis. The EPSS model estimates a 26.72% probability of exploitation in the next 30 days.

How do I fix CVE-2018-3760?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2018-3760?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST