CVE-2014-7818Path Traversal in Project Actionpack

CWE-22Path TraversalCWE-200Sensitive Information Exposure14 documents7 sources
Severity
4.3MEDIUMNVD
EPSS
0.2%
top 55.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Rubyonrails RailsActionpack Project ActionpackOpensuse+1 more
Timeline
PublishedNov 8
Latest updateSep 17

Description

Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages5 packages

RubyGemsactionpack_project/actionpack3.0.03.2.20+3
Debianrubyonrails/rails< 2:4.1.8-1+3
NVDrubyonrails/rails67 versions+66
NVDrubyonrails/ruby_on_rails3.0.4, 3.2.19+1
NVDopensuse/opensuse12.3, 13.1, 13.2+2

🔴Vulnerability Details

6
GHSA
Moderate severity vulnerability that affects actionpack2018-09-17
OSV
actionpack vulnerable to Path Traversal2017-10-24
GHSA
actionpack vulnerable to Path Traversal2017-10-24
GHSA
Directory traversal vulnerability in actionpack2017-10-24
OSV
CVE-2014-7818: Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static2014-11-08

📋Vendor Advisories

3
Red Hat
rubygem-actionpack: incomplete fix for CVE-2014-7818, arbitrary file existence disclosure2014-11-17
Red Hat
rubygem-actionpack: arbitrary file existence disclosure2014-10-31
Debian
CVE-2014-7818: rails - Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/s...2014

💬Community

4
Bugzilla
CVE-2014-7829 rubygem-actionpack: incomplete fix for CVE-2014-7818, arbitrary file existence disclosure [fedora-all]2014-11-18
Bugzilla
CVE-2014-7829 rubygem-actionpack: incomplete fix for CVE-2014-7818, arbitrary file existence disclosure2014-11-17
Bugzilla
CVE-2014-7818 rubygem-actionpack: arbitrary file existence disclosure [fedora-all]2014-11-12
Bugzilla
CVE-2014-7818 rubygem-actionpack: arbitrary file existence disclosure2014-11-07
CVE-2014-7818 — Path Traversal in Project Actionpack | cvebase