Vulnerability-Lookup

CVE-2014-7819 (GCVE-0-2014-7819)

Vulnerability from cvelistv5 – Published: 2014-11-08 11:00 – Updated: 2024-08-06 13:03

Summary

Multiple directory traversal vulnerabilities in server.rb in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding.

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

URL

GSD-2014-7819

Vulnerability from gsd - Updated: 2014-10-30 00:00

Details

Aliases

CVE-2014-7819

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2014-7819",
    "description": "Multiple directory traversal vulnerabilities in server.rb in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding.",
    "id": "GSD-2014-7819",
    "references": [
      "https://www.suse.com/security/cve/CVE-2014-7819.html",
      "https://access.redhat.com/errata/RHBA-2015:1100",
      "https://advisories.mageia.org/CVE-2014-7819.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "sprockets",
            "purl": "pkg:gem/sprockets"
          }
        }
      ],
      "aliases": [
        "CVE-2014-7819",
        "OSVDB-113965"
      ],
      "details": "Multiple directory traversal vulnerabilities in server.rb in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding.",
      "id": "GSD-2014-7819",
      "modified": "2014-10-30T00:00:00.000Z",
      "published": "2014-10-30T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://groups.google.com/forum/#!topic/rubyonrails-security/doAVp0YaTqY"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 5.0,
          "type": "CVSS_V2"
        }
      ],
      "summary": "CVE-2014-7819 rubygem-sprockets: arbitrary file existence disclosure"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2014-7819",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Multiple directory traversal vulnerabilities in server.rb in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00103.html",
            "refsource": "MISC",
            "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00103.html"
          },
          {
            "name": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00105.html",
            "refsource": "MISC",
            "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00105.html"
          },
          {
            "name": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00110.html",
            "refsource": "MISC",
            "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00110.html"
          },
          {
            "name": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00111.html",
            "refsource": "MISC",
            "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00111.html"
          },
          {
            "name": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/doAVp0YaTqY/aHFngBqNBoAJ",
            "refsource": "MISC",
            "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/doAVp0YaTqY/aHFngBqNBoAJ"
          },
          {
            "name": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wQBeGXqGs3E/JqUMB6fhh3gJ",
            "refsource": "MISC",
            "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wQBeGXqGs3E/JqUMB6fhh3gJ"
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2014-7819",
      "cvss_v2": 5.0,
      "date": "2014-10-30",
      "description": "Multiple directory traversal vulnerabilities in server.rb in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding.",
      "gem": "sprockets",
      "osvdb": 113965,
      "patched_versions": [
        "~\u003e 2.0.5",
        "~\u003e 2.1.4",
        "~\u003e 2.2.3",
        "~\u003e 2.3.3",
        "~\u003e 2.4.6",
        "~\u003e 2.5.1",
        "~\u003e 2.7.1",
        "~\u003e 2.8.3",
        "~\u003e 2.9.4",
        "~\u003e 2.10.2",
        "~\u003e 2.11.3",
        "~\u003e 2.12.3",
        "\u003e= 3.0.0.beta.3"
      ],
      "title": "CVE-2014-7819 rubygem-sprockets: arbitrary file existence disclosure",
      "url": "https://groups.google.com/forum/#!topic/rubyonrails-security/doAVp0YaTqY"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=3.0.0a \u003c3.0.0.beta.3||\u003e=2.12.0a \u003c2.12.3||\u003e=2.11.0a \u003c2.11.3||\u003e=2.10.0a \u003c2.10.2||\u003e=2.9.0a \u003c2.9.4||\u003e=2.8.0a \u003c2.8.3||\u003e=2.7.0a \u003c2.7.1||\u003e=2.5.0a \u003c2.5.1||\u003e=2.4.0a \u003c2.4.6||\u003e=2.3.0a \u003c2.3.3||\u003e=2.2.0a \u003c2.2.3||\u003e=2.1.0a \u003c2.1.4||\u003e=2.0.0 \u003c2.0.5",
          "affected_versions": "All versions starting from 3.0.0a before 3.0.0.beta.3, all versions starting from 2.12.0a before 2.12.3, all versions starting from 2.11.0a before 2.11.3, all versions starting from 2.10.0a before 2.10.2, all versions starting from 2.9.0a before 2.9.4, all versions starting from 2.8.0a before 2.8.3, all versions starting from 2.7.0a before 2.7.1, all versions starting from 2.5.0a before 2.5.1, all versions starting from 2.4.0a before 2.4.6, all versions starting from 2.3.0a before 2.3.3, all versions starting from 2.2.0a before 2.2.3, all versions starting from 2.1.0a before 2.1.4, all versions starting from 2.0.0 before 2.0.5",
          "credit": "Eaden McKee, Dennis Hackethal \u0026 Christian Hansen of Crowdcurity, Juan C. M\u00fcller \u0026 Mike McClurg of Greenhouse.io and Alex Ianus of Coinbase",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-22",
            "CWE-937"
          ],
          "date": "2018-12-18",
          "description": "Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside an application\u0027s root directory. The files will not be served, but attackers can determine whether the file exists.",
          "fixed_versions": [
            "2.0.5",
            "2.1.4",
            "2.10.2",
            "2.11.3",
            "2.12.3",
            "2.2.3",
            "2.3.3",
            "2.4.6",
            "2.5.1",
            "2.7.1",
            "2.8.3",
            "2.9.4",
            "3.0.0.beta.3"
          ],
          "identifier": "CVE-2014-7819",
          "identifiers": [
            "CVE-2014-7819"
          ],
          "package_slug": "gem/sprockets",
          "pubdate": "2014-11-08",
          "solution": "Upgrade to latest or use workaround.\r\n\r\nIn Rails applications, work around this issue, set config.serve_static_assets = false in an initializer.  This work around will not be possible in all hosting environments and upgrading is advised.",
          "title": "Arbitrary file existence disclosure",
          "urls": [
            "https://groups.google.com/forum/#!topic/rubyonrails-security/doAVp0YaTqY"
          ],
          "uuid": "e6fce8ce-942c-40c0-93ae-e570d32bbac7"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:sprockets_project:sprockets:2.6.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.0.5",
                "versionStartIncluding": "2.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.1.4",
                "versionStartIncluding": "2.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.2.3",
                "versionStartIncluding": "2.2.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.3.3",
                "versionStartIncluding": "2.3.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.4.6",
                "versionStartIncluding": "2.4.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.5.1",
                "versionStartIncluding": "2.5.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.7.1",
                "versionStartIncluding": "2.7.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.8.3",
                "versionStartIncluding": "2.8.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.9.4",
                "versionStartIncluding": "2.9.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.10.2",
                "versionStartIncluding": "2.10.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.11.3",
                "versionStartIncluding": "2.11.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.12.3",
                "versionStartIncluding": "2.12.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sprockets_project:sprockets:3.0.0:beta1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sprockets_project:sprockets:3.0.0:beta2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2014-7819"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Multiple directory traversal vulnerabilities in server.rb in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-22"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[rubyonrails-security] 20141030 Arbitrary file existence disclosure in Sprockets (CVE-2014-7819)",
              "refsource": "MLIST",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wQBeGXqGs3E/JqUMB6fhh3gJ"
            },
            {
              "name": "[rubyonrails-security] 20141030 [AMENDED] [CVE-2014-7819] Arbitrary file existence disclosure in Sprockets",
              "refsource": "MLIST",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/doAVp0YaTqY/aHFngBqNBoAJ"
            },
            {
              "name": "openSUSE-SU-2014:1513",
              "refsource": "SUSE",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00110.html"
            },
            {
              "name": "openSUSE-SU-2014:1514",
              "refsource": "SUSE",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00111.html"
            },
            {
              "name": "openSUSE-SU-2014:1504",
              "refsource": "SUSE",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00105.html"
            },
            {
              "name": "openSUSE-SU-2014:1502",
              "refsource": "SUSE",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00103.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2023-02-13T00:42Z",
      "publishedDate": "2014-11-08T11:55Z"
    }
  }
}

GHSA-33PP-3763-MRFP

Vulnerability from github – Published: 2017-10-24 18:33 – Updated: 2023-03-01 18:54

Summary

sprockets vulnerable to Path Traversal

Details

Multiple directory traversal vulnerabilities in server.rb in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "sprockets"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "sprockets"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "sprockets"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "sprockets"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "sprockets"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "sprockets"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "sprockets"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.0"
            },
            {
              "fixed": "2.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "sprockets"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.8.0"
            },
            {
              "fixed": "2.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "sprockets"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.9.0"
            },
            {
              "fixed": "2.9.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "sprockets"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.10.0"
            },
            {
              "fixed": "2.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "sprockets"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.11.0"
            },
            {
              "fixed": "2.11.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "sprockets"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.12.0"
            },
            {
              "fixed": "2.12.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2014-7819"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T20:53:55Z",
    "nvd_published_at": "2014-11-08T11:55:00Z",
    "severity": "MODERATE"
  },
  "details": "Multiple directory traversal vulnerabilities in `server.rb` in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding.",
  "id": "GHSA-33pp-3763-mrfp",
  "modified": "2023-03-01T18:54:54Z",
  "published": "2017-10-24T18:33:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-7819"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHBA-2015:1100"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2014-7819"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1161527"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/forum/#!topic/rubyonrails-security/doAVp0YaTqY"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/doAVp0YaTqY/aHFngBqNBoAJ"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wQBeGXqGs3E/JqUMB6fhh3gJ"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00103.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00105.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00110.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00111.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "sprockets vulnerable to Path Traversal"
}

FKIE_CVE-2014-7819

Vulnerability from fkie_nvd - Published: 2014-11-08 11:55 - Updated: 2025-04-12 10:46

Severity ?

Summary

References

URL	Tags
secalert@redhat.com	http://lists.opensuse.org/opensuse-updates/2014-11/msg00103.html	Mailing List, Third Party Advisory
secalert@redhat.com	http://lists.opensuse.org/opensuse-updates/2014-11/msg00105.html	Mailing List, Third Party Advisory
secalert@redhat.com	http://lists.opensuse.org/opensuse-updates/2014-11/msg00110.html	Mailing List, Third Party Advisory
secalert@redhat.com	http://lists.opensuse.org/opensuse-updates/2014-11/msg00111.html	Mailing List, Third Party Advisory
secalert@redhat.com	https://groups.google.com/forum/message/raw?msg=rubyonrails-security/doAVp0YaTqY/aHFngBqNBoAJ	Third Party Advisory
secalert@redhat.com	https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wQBeGXqGs3E/JqUMB6fhh3gJ	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-updates/2014-11/msg00103.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-updates/2014-11/msg00105.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-updates/2014-11/msg00110.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-updates/2014-11/msg00111.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://groups.google.com/forum/message/raw?msg=rubyonrails-security/doAVp0YaTqY/aHFngBqNBoAJ	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wQBeGXqGs3E/JqUMB6fhh3gJ	Third Party Advisory

Impacted products

Vendor	Product	Version
sprockets_project	sprockets	*
sprockets_project	sprockets	*
sprockets_project	sprockets	*
sprockets_project	sprockets	*
sprockets_project	sprockets	*
sprockets_project	sprockets	*
sprockets_project	sprockets	*
sprockets_project	sprockets	*
sprockets_project	sprockets	*
sprockets_project	sprockets	*
sprockets_project	sprockets	*
sprockets_project	sprockets	*
sprockets_project	sprockets	2.6.0
sprockets_project	sprockets	3.0.0
sprockets_project	sprockets	3.0.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "36F5A38C-B51C-4455-80B2-3FA89022C72B",
              "versionEndExcluding": "2.0.5",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B8177C76-1C51-41E2-9647-107A76D9A9C0",
              "versionEndExcluding": "2.1.4",
              "versionStartIncluding": "2.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "328E446A-05ED-4B23-9027-BC43A529C1AA",
              "versionEndExcluding": "2.2.3",
              "versionStartIncluding": "2.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "659F0437-C16E-422C-89A8-448EDA78F48E",
              "versionEndExcluding": "2.3.3",
              "versionStartIncluding": "2.3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "02AFF247-E71C-4C01-AB2A-EAF1CF171AC0",
              "versionEndExcluding": "2.4.6",
              "versionStartIncluding": "2.4.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "50BAFDB7-A9B8-42E7-BC49-0D38DBC1E527",
              "versionEndExcluding": "2.5.1",
              "versionStartIncluding": "2.5.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DDDE474C-2C05-4D15-B24F-82635B7FD896",
              "versionEndExcluding": "2.7.1",
              "versionStartIncluding": "2.7.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4D4C63A3-F044-49CD-8D72-D8614C359250",
              "versionEndExcluding": "2.8.3",
              "versionStartIncluding": "2.8.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7774FEE9-5ED9-4976-B363-38D838B8BA57",
              "versionEndExcluding": "2.9.4",
              "versionStartIncluding": "2.9.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7660A259-00F1-4CB6-AAE6-85D769DB4A64",
              "versionEndExcluding": "2.10.2",
              "versionStartIncluding": "2.10.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "70228E9F-071E-45B6-9FBA-FE85DB04806E",
              "versionEndExcluding": "2.11.3",
              "versionStartIncluding": "2.11.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EA983B03-4446-4FE4-8EC7-DAFC9498CE6D",
              "versionEndExcluding": "2.12.3",
              "versionStartIncluding": "2.12.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sprockets_project:sprockets:2.6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "8632528E-DF46-47BC-A229-E773D0CA4EC3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sprockets_project:sprockets:3.0.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "E99F6172-6BF6-4FD1-BA63-1A9A0244FBD9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sprockets_project:sprockets:3.0.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "84D71F8E-38B6-4E96-B745-3D19DC64504D",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Multiple directory traversal vulnerabilities in server.rb in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding."
    },
    {
      "lang": "es",
      "value": "M\u00faltiples vulnerabilidades de salto de directorio en server.rb en Sprockets anterior a 2.0.5, 2.1.x anterior a 2.1.4, 2.2.x anterior a 2.2.3, 2.3.x anterior a 2.3.3, 2.4.x anterior a 2.4.6, 2.5.x anterior a 2.5.1, 2.6.x y 2.7.x anterior a 2.7.1, 2.8.x anterior a 2.8.3, 2.9.x anterior a 2.9.4, 2.10.x anterior a 2.10.2, 2.11.x anterior a 2.11.3, 2.12.x anterior a 2.12.3, y 3.x anterior a 3.0.0.beta.3, distribuido con Ruby on Rails 3.x y 4.x, permiten a atacantes remotos determinar la existencia de ficheros fuera del root de la aplicaci\u00f3n a trav\u00e9s de una secuencia ../ (punto punto barra) con (1) barras dobles o (2) codificaci\u00f3n de URL."
    }
  ],
  "id": "CVE-2014-7819",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2014-11-08T11:55:03.023",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00103.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00105.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00110.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00111.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/doAVp0YaTqY/aHFngBqNBoAJ"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wQBeGXqGs3E/JqUMB6fhh3gJ"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00103.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00105.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00110.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00111.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/doAVp0YaTqY/aHFngBqNBoAJ"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wQBeGXqGs3E/JqUMB6fhh3gJ"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2014-7819 (GCVE-0-2014-7819)

GSD-2014-7819

GHSA-33PP-3763-MRFP

FKIE_CVE-2014-7819

Tags

Sightings

Nomenclature