⚠ Actively exploited

Added to CISA KEV on 2022-03-25. Federal agencies required to patch by 2022-04-15. Required action: Apply updates per vendor instructions..

CVE-2014-0130

CWE-22 — Path Traversal23 documents8 sources

Severity

7.5HIGH

EPSS

45.4%

top 2.39%

CISA KEV

KEV

Added 2022-03-25

Due 2022-04-15

Exploit

Exploited in wild

Active exploitation observed

Affected products

Rubyonrails Rails Redhat Subscription Asset Manager Redhat Enterprise Linux Server

Timeline

PublishedMay 7

KEV addedMar 25

KEV dueApr 15

CISA Required Action: Apply updates per vendor instructions.

Description

Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶NVDrubyonrails/rails4.0.0 — 4.0.5+2

▶RubyGemsactionpack3.0.0 — 3.2.18+2

▶Ubunturails< 2:4.2.6-1+1

▶NVDredhat/subscription_asset_manager1.3.0

▶NVDredhat/enterprise_linux_server6.0

🔴Vulnerability Details

OSV

actionpack Path Traversal vulnerability↗2017-10-24

▶

GHSA

actionpack Path Traversal vulnerability↗2017-10-24

▶

OSV

CVE-2014-0130: Directory traversal vulnerability in actionpack/lib/abstract_controller/base↗2014-05-07

▶

CVEList

CVE-2014-0130: Directory traversal vulnerability in actionpack/lib/abstract_controller/base↗2014-05-07

▶

VulnCheck

Ruby on Rails Directory Traversal Vulnerability↗2014

▶

📋Vendor Advisories

CISA

Ruby on Rails Directory Traversal Vulnerability↗2022-03-25

▶

Red Hat

rubygem-actionpack: directory traversal issue↗2014-05-06

▶

💬Community

Bugzilla

CVE-2014-0130 rubygem-activesupport: Ruby on Rails: directory traversal issue [fedora-all]↗2014-05-07

▶

Bugzilla

CVE-2014-0130 rubygem-activeresource: Ruby on Rails: directory traversal issue [fedora-all]↗2014-05-07

▶

Bugzilla

CVE-2014-0130 rubygem-actionpack: directory traversal issue↗2014-05-07

▶

Bugzilla

CVE-2014-0130 rubygem-actionpack: Ruby on Rails: directory traversal issue [fedora-all]↗2014-05-07

▶

Bugzilla

CVE-2014-0130 rubygem-activerecord: Ruby on Rails: directory traversal issue [epel-5]↗2014-05-07

▶