Path Traversal in Rubyonrails Rails
CVE-2014-7829
Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is…
Vulnerability class: Path Traversal (Directory Traversal)
EPSS: 0.003 (50.2th percentile) — read the EPSS interpretation.
Affected products
- Rubyonrails Rails — versions 3.0.0, 3.0.1, 3.0.2
- Rubyonrails Ruby_on_rails — versions 3.0.4, 3.2.19, 3.2.20
- Opensuse — versions 12.3, 13.1, 13.2
- N/a — versions n/a
Weakness classification (CWE)
Public proof-of-concept exploits
- Abinandhini-cpu/VulnerableRubyrepo2
- CherMB/test-data-ingestion-service
- CherMB/test-data-ingestion-service-1
- CherMB/test-qa-blackduck
- bibin-paul-trustme/ruby_
- jasnow/585-652-ruby-advisory-db
- pankajkryadav/Hacktivity
- rubysec/ruby-advisory-db
- shunmugadigialert/ruby5
- zhangyongbo100/-Ruby-dl-handle.c-CVE-2009-5147-
References
- secalert@redhat.com (x_refsource_CONFIRM)
- openSUSE-SU-2014:1515 (vendor-advisory, x_refsource_SUSE)
- 71183 (vdb-entry, x_refsource_BID)
- [rubyonrails-security] 20141117 [CVE-2014-7829] Arbitrary file existence disclosure in Action Pack (mailing-list, x_refsource_MLIST, Exploit)
Frequently asked questions
- What is CVE-2014-7829?
- CVE-2014-7829 is a vulnerability in Rubyonrails Rails, classified under Path Traversal. Published 2014-11-18.
- Is CVE-2014-7829 known to be exploited?
- 10 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.