Published: 08/11/2014 Updated: 08/08/2019

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

VMScore: 384

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x prior to 3.2.20, 4.0.x prior to 4.0.11, 4.1.x prior to 4.1.7, and 4.2.x prior to 4.2.0.beta3, when serve_static_assets is enabled, allows remote malicious users to determine the existence of files outside the application root via a /..%2F sequence.

Vulnerable Product	Search on Vulmon	Subscribe to Product
rubyonrails rails 3.0.0
rubyonrails rails 3.0.10
rubyonrails rails 3.0.16
rubyonrails rails 3.0.17
rubyonrails rails 3.0.4
rubyonrails rails 3.0.7
rubyonrails rails 3.0.9
rubyonrails rails 3.1.0
rubyonrails rails 3.1.1
rubyonrails rails 3.1.4
rubyonrails rails 3.1.5
rubyonrails rails 3.2.0
rubyonrails rails 3.0.1
rubyonrails rails 3.0.13
rubyonrails rails 3.0.14
rubyonrails rails 3.0.3
rubyonrails ruby on rails 3.0.4
rubyonrails rails 3.0.6
rubyonrails rails 3.0.8
rubyonrails rails 3.2.1
rubyonrails rails 3.2.16
rubyonrails rails 3.2.17
rubyonrails rails 3.2.4
rubyonrails rails 4.0.0
rubyonrails rails 4.0.2
rubyonrails rails 4.0.3
rubyonrails rails 4.0.8
rubyonrails rails 4.0.9
rubyonrails rails 4.1.2
rubyonrails rails 4.2.0
rubyonrails rails 3.1.3
rubyonrails rails 3.2.13
rubyonrails rails 3.2.15
rubyonrails rails 3.2.3
rubyonrails rails 4.0.1
rubyonrails rails 4.0.10
rubyonrails rails 4.0.6
rubyonrails rails 4.0.7
rubyonrails rails 4.1.6
rubyonrails rails 3.0.11
rubyonrails rails 3.0.12
rubyonrails rails 3.0.18
rubyonrails rails 3.0.19
rubyonrails rails 3.0.2
rubyonrails rails 3.0.5
rubyonrails rails 3.1.10
rubyonrails rails 3.1.2
rubyonrails rails 3.1.6
rubyonrails rails 3.1.7
rubyonrails rails 3.2.10
rubyonrails rails 3.2.11
rubyonrails rails 3.2.18
rubyonrails ruby on rails 3.2.19
rubyonrails rails 3.2.5
rubyonrails rails 3.2.6
rubyonrails rails 4.0.4
rubyonrails rails 4.0.5
rubyonrails rails 4.1.0
rubyonrails rails 4.1.3
rubyonrails rails 4.1.4
rubyonrails rails 3.0.20
rubyonrails rails 3.1.8
rubyonrails rails 3.1.9
rubyonrails rails 3.2.12
rubyonrails rails 3.2.2
rubyonrails rails 3.2.7
rubyonrails rails 3.2.8
rubyonrails rails 4.1.1
rubyonrails rails 4.1.5
opensuse opensuse 12.3
opensuse opensuse 13.1
opensuse opensuse 13.2

Debian Bug report logs - #770934 rails: CVE-2014-7818 CVE-2014-7829 Package: rails; Maintainer for rails is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Source for rails is src:rails (PTS, buildd, popcon) Reported by: Moritz Muehlenhoff <jmm@inutilorg> Date: Tue, 25 Nov 2014 ...

Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/staticrb in Action Pack in Ruby on Rails 3x before 3220, 40x before 4011, 41x before 417, and 42x before 420beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /%2F ...

CWE-22 https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html https://puppet.com/security/cve/cve-2014-7829 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770934 https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2014-7818

CVE-2014-7818

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect