Path Traversal in Rubyonrails Rails
CVE-2014-7818
Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is…
Vulnerability class: Path Traversal (Directory Traversal)
EPSS: 0.002 (44.7th percentile) — read the EPSS interpretation.
Affected products
- Rubyonrails Rails — versions 3.0.0, 3.0.1, 3.0.2
- Rubyonrails Ruby_on_rails — versions 3.0.4, 3.2.19
- Opensuse — versions 12.3, 13.1, 13.2
- N/a — versions n/a
Weakness classification (CWE)
Public proof-of-concept exploits
- Abinandhini-cpu/VulnerableRubyrepo2
- CherMB/test-data-ingestion-service
- CherMB/test-data-ingestion-service-1
- CherMB/test-qa-blackduck
- bibin-paul-trustme/ruby_
- jasnow/585-652-ruby-advisory-db
- rubysec/ruby-advisory-db
- shunmugadigialert/ruby5
- tdunning/github-advisory-parser
- zhangyongbo100/-Ruby-dl-handle.c-CVE-2009-5147-
References
- secalert@redhat.com (x_refsource_CONFIRM)
- openSUSE-SU-2014:1515 (vendor-advisory, x_refsource_SUSE)
- [rubyonrails-security] 20141030 Arbitrary file existence disclosure in Action Pack (CVE-2014-7818) (mailing-list, x_refsource_MLIST)
Frequently asked questions
- What is CVE-2014-7818?
- CVE-2014-7818 is a vulnerability in Rubyonrails Rails, classified under Path Traversal. Published 2014-11-08.
- Is CVE-2014-7818 known to be exploited?
- 10 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.