CVE-2018-3760

HIGH EXPLOITED NUCLEI LAB

Redhat Cloudforms < 2.12.4 - Information Disclosure

Title source: rule
STIX 2.1

Exploitation Summary

CVE-2018-3760 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including mpgn, cyberharsh, dyeat. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a working proof-of-concept exploit for CVE-2018-3760, a directory traversal vulnerability in Rails Asset Pipeline. The exploit leverages path normalization bypasses to access arbitrary files on the system, potentially leading to information disclosure or remote code execution if the file contains compilable extensions like .erb.

Description

There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application's root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.

Exploits (4)

nomisec WORKING POC 8 stars
by mpgn · infoleak
https://github.com/mpgn/CVE-2018-3760

This repository contains a working proof-of-concept exploit for CVE-2018-3760, a directory traversal vulnerability in Rails Asset Pipeline. The exploit leverages path normalization bypasses to access arbitrary files on the system, potentially leading to information disclosure or remote code execution if the file contains compilable extensions like .erb.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Ruby on Rails with Sprockets (when config.assets.compile = true in production)
No auth needed
Prerequisites: Rails application with Sprockets server enabled in production (config.assets.compile = true) · Network access to the vulnerable Rails application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by cyberharsh · poc
https://github.com/cyberharsh/Ruby-On-Rails-Path-Traversal-Vulnerability-CVE-2018-3760-

This PoC demonstrates a path traversal vulnerability in Sprockets (Ruby on Rails) versions 3.7.1 and below, allowing attackers to read arbitrary files on the server using double URL encoding techniques.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Ruby on Rails with Sprockets <= 3.7.1
No auth needed
Prerequisites: Target running Ruby on Rails with vulnerable Sprockets version · Access to the assets endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by dyeat · pythonpoc
https://github.com/dyeat/cve-reproduction/tree/main/RubyOnRails/Rails/CVE-2018-3760

This repository contains a functional Python script that exploits CVE-2018-3760, a path traversal vulnerability in Ruby on Rails Sprockets 3.x. The script sends a crafted HTTP request with encoded '..' sequences to read arbitrary files (e.g., /etc/passwd) from the target system.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Ruby on Rails Sprockets 3.x
No auth needed
Prerequisites: Target URL with vulnerable Rails Sprockets 3.x
devstral-2 · analyzed May 22, 2026 Full analysis →
nomisec WORKING POC
by wudidwo · infoleak
https://github.com/wudidwo/CVE-2018-3760-poc

This PoC exploits CVE-2018-3760, an arbitrary file read vulnerability in Ruby on Rails. It uses double URL encoding to bypass path traversal restrictions and read sensitive files like /etc/passwd.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Ruby on Rails (versions affected by CVE-2018-3760)
No auth needed
Prerequisites: Target must be running a vulnerable version of Ruby on Rails · Network access to the target application
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Ruby On Rails - Local File Inclusion
HIGHby 0xrudra,pikpikcu

References (7)

Core 7
Core References
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2745
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2244
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2561
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2245
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2018/dsa-4242

Scores

CVSS v3 7.5
EPSS 0.9389
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Lab Environment

COMMUNITY
Community Lab
docker pull vulhub/rails:5.0.7
docker pull vaday/rubyrails
+1 more repos

Details

VulnCheck KEV 2020-12-28
CWE
CWE-22 CWE-200
Status published
Products (13)
debian/debian_linux 9.0
redhat/cloudforms 4.5
redhat/cloudforms 4.6
redhat/enterprise_linux 6.0
redhat/enterprise_linux 6.7
redhat/enterprise_linux 7.0
redhat/enterprise_linux 7.3
redhat/enterprise_linux 7.4
redhat/enterprise_linux 7.5
redhat/enterprise_linux 7.6
... and 3 more
Published Jun 26, 2018
Tracked Since Feb 18, 2026