Security Vulnerability - possible to read arbitrary files via socket

[e2]

Patched gem version: v2.5.2
PR with patch: #158
Affected versions: v2.5.1 and below
Credits: @mikeycgto

Use cases affected:

• multiuser servers running livereload
• websocket address listening on non-local address
• websocket port forwarded to untrusted/multiuser remote machines
• ?

Basically, anyone who can connect to the port can read files available to the user running the livereload server.

Stuff left to do:

• Prevent files other than ./livereload.js to be loaded via socket
• Release 2.5.2 with file serving disable (other than ./livereload.js)
• Add info to Readme
• Add websocket spec (none yet) (Refactor out HTTP layer from WebSocket + add specs #160)
• Refactor websocket for filesystem related specs (Refactor out HTTP layer from WebSocket + add specs #160)
• CVE - none yet
• Decide which files should be allowed (if any)

[mjc-gh]

A CVE was assigned for this issue: CVE-2016-1000305

https://github.com/distributedweaknessfiling/DWF-Database-Artifacts/blob/158c10cf11bc7d6ad728c1a8dd213f523ecfca52/DWF/2016/1000305/CVE-2016-1000305.json

[jasnow]

A CVE was assigned for this issue: CVE-2016-1000305

https://github.com/distributedweaknessfiling/DWF-Database-Artifacts/blob/158c10cf11bc7d6ad728c1a8dd213f523ecfca52/DWF/2016/1000305/CVE-2016-1000305.json

Do you know status of this CVE?