The Qualys WAS scanning engine has been updated with a new detection for CVE-2019-5418, a serious file content disclosure vulnerability in Ruby on Rails. Ensure that QID 150237 is enabled in your WAS vulnerability scans to test for this issue,. When attempting to exploit this issue, an attacker will submit a request with a specially-crafted "Accept" header. Web apps that are vulnerable use the "render" method on a file (
render :file). More details can be found at https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q.
This new detection is part of an ongoing effort to provide more support for known vulnerabilities in application frameworks.