Published: 18/11/2014 Updated: 08/08/2019

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

VMScore: 446

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x prior to 3.2.21, 4.0.x prior to 4.0.12, 4.1.x prior to 4.1.8, and 4.2.x prior to 4.2.0.beta4, when serve_static_assets is enabled, allows remote malicious users to determine the existence of files outside the application root via vectors involving a \ (backslash) character, a similar issue to CVE-2014-7818.

Vulnerable Product	Search on Vulmon	Subscribe to Product
opensuse opensuse 12.3
opensuse opensuse 13.1
opensuse opensuse 13.2
rubyonrails rails 3.0.0
rubyonrails rails 3.0.1
rubyonrails rails 3.0.10
rubyonrails rails 3.0.14
rubyonrails rails 3.0.16
rubyonrails ruby on rails 3.0.4
rubyonrails rails 3.0.4
rubyonrails rails 3.0.7
rubyonrails rails 3.0.9
rubyonrails rails 3.1.0
rubyonrails rails 3.1.1
rubyonrails rails 3.1.4
rubyonrails rails 3.1.5
rubyonrails rails 3.2.0
rubyonrails rails 3.2.15
rubyonrails rails 3.2.16
rubyonrails rails 3.2.3
rubyonrails rails 4.0.0
rubyonrails rails 4.0.1
rubyonrails rails 4.0.10
rubyonrails rails 4.0.6
rubyonrails rails 4.0.7
rubyonrails rails 4.1.1
rubyonrails rails 4.1.2
rubyonrails rails 4.1.6
rubyonrails rails 3.0.12
rubyonrails rails 3.0.2
rubyonrails rails 3.0.5
rubyonrails rails 3.0.6
rubyonrails rails 3.0.8
rubyonrails rails 3.1.2
rubyonrails rails 3.1.7
rubyonrails rails 3.1.8
rubyonrails rails 3.2.11
rubyonrails rails 3.2.12
rubyonrails ruby on rails 3.2.19
rubyonrails ruby on rails 3.2.20
rubyonrails rails 3.2.5
rubyonrails rails 3.2.6
rubyonrails rails 4.0.4
rubyonrails rails 4.0.5
rubyonrails ruby on rails 4.0.11
rubyonrails rails 4.1.3
rubyonrails rails 4.2.0
rubyonrails rails 3.0.13
rubyonrails rails 3.0.20
rubyonrails rails 3.0.3
rubyonrails rails 3.1.3
rubyonrails rails 3.1.9
rubyonrails rails 3.2.13
rubyonrails rails 3.2.2
rubyonrails rails 3.2.7
rubyonrails rails 3.2.8
rubyonrails rails 4.1.0
rubyonrails rails 4.1.4
rubyonrails rails 4.1.5
rubyonrails rails 3.0.11
rubyonrails rails 3.0.17
rubyonrails rails 3.0.18
rubyonrails rails 3.0.19
rubyonrails rails 3.1.10
rubyonrails rails 3.1.6
rubyonrails rails 3.2.1
rubyonrails rails 3.2.10
rubyonrails rails 3.2.17
rubyonrails rails 3.2.18
rubyonrails rails 3.2.4
rubyonrails rails 4.0.2
rubyonrails rails 4.0.3
rubyonrails rails 4.0.8
rubyonrails rails 4.0.9
rubyonrails rails 4.1.7

Debian Bug report logs - #770934 rails: CVE-2014-7818 CVE-2014-7829 Package: rails; Maintainer for rails is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Source for rails is src:rails (PTS, buildd, popcon) Reported by: Moritz Muehlenhoff <jmm@inutilorg> Date: Tue, 25 Nov 2014 ...

Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/staticrb in Action Pack in Ruby on Rails 3x before 3221, 40x before 4012, 41x before 418, and 42x before 420beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors i ...

CWE-22 https://groups.google.com/forum/message/raw?msg=rubyonrails-security/rMTQy4oRCGk/loS_CRS8mNEJ http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html http://www.securityfocus.com/bid/71183 https://puppet.com/security/cve/cve-2014-7829 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770934 https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2014-7829

CVE-2014-7829

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect