CVE-2018-16477 - AskarLabs CVE Database

CVE-2018-16477

Vendor N/A

Product https://github.com/rails/rails

Weakness CWE-200 · Info exposure

Published November 30, 2018

Last update August 5, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

A bypass vulnerability in Active Storage >= 5.2.0 for Google Cloud Storage and Disk services allow an attacker to modify the `content-disposition` and `content-type` parameters which can be used in with HTML files and have them executed inline. Additionally, if combined with other techniques such as cookie bombing and specially crafted AppCache manifests, an attacker can gain access to private signed URLs within a specific storage path. This vulnerability has been fixed in version 5.2.1.1.

Key dates

02Disclosure timeline

November 30, 2018 CVE published

August 5, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2018-16477

Related vulnerabilities

04Related CVE

CVE-2023-1263 CMP – Coming Soon & Maintenance Plugin by NiteoThemes <= 4.1.6 - Information Exposure CVE-2025-66623 Strimzi allows unrestricted access to all Secrets in the same Kubernetes namespace from Kafka Connect and MirrorMaker 2 operands CVE-2026-41659 Admidio: Hidden Profile Field Values Leaked via Blind Search Oracle in Member Assignment CVE-2025-61639 Suppressed blocked IP is visible in Special:BlockList, RC, and other places CVE-2023-29114 Unauthorized System Log Disclosure in Enel X JuiceBox