A vulnerability in Sprockets could allow an unauthenticated, remote attacker to access sensitive information on a targeted system.
The vulnerability is due to insufficient sanitization of user-supplied input by the affected software when the forbidden_request?() function is used. An attacker could exploit this vulnerability by passing crafted URL requests to the targeted Sprockets system being used in production. A successful exploit could lead to a path traversal condition, allowing an attacker to read arbitrary files on the targeted system.
The vendor confirmed the vulnerability and released software updates.
Security Impact Rating: High