KEVIntel
Back to KEVs
7.5
CVSS
High

CVE-2018-3760

PUBLISHED

There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially...

Exploited in the wild PoC available Remote Low complexity No user interaction
Vendor
HackerOne
Product
Sprockets
Published
Jun 26, 2018
EPSS

Description

There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application's root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.

nuclei_scanner

CVSS scores

CVSS v3.0 7.5 High

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2.0 5.0

AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitation status

Exploited in the wild

Recorded 2025-04-27 00:00:00 UTC · Source

Proof of concept available

Recorded 2019-10-21 14:15:09 UTC · Source

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
The Shadowserver (via CIRCL) Apr 27, 2025

Scanner integrations

Scanner Reference Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2018-3760.yaml Apr 25, 2025

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

wudidwo/CVE-2018-3760-poc

github · Created 2024-11-19 11:52:53 UTC · 0 stars

cyberharsh/Ruby-On-Rails-Path-Traversal-Vulnerability-CVE-2018-3760-

github · Created 2020-06-24 12:15:07 UTC · 2 stars

mpgn/CVE-2018-3760

github · Created 2019-10-21 14:15:09 UTC · 8 stars

Rails Asset Pipeline Directory Traversal Vulnerability

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Proof of Concept Exploit Available

  • Detected by Nuclei

  • Added to KEVIntel