Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2014-7818 (GCVE-0-2014-7818)
Vulnerability from cvelistv5 – Published: 2014-11-08 11:00 – Updated: 2024-08-06 13:03
VLAI?
EPSS
Summary
Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:03:27.154Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://puppet.com/security/cve/cve-2014-7829"
},
{
"name": "openSUSE-SU-2014:1515",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html"
},
{
"name": "[rubyonrails-security] 20141030 Arbitrary file existence disclosure in Action Pack (CVE-2014-7818)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-10-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-08T10:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://puppet.com/security/cve/cve-2014-7829"
},
{
"name": "openSUSE-SU-2014:1515",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html"
},
{
"name": "[rubyonrails-security] 20141030 Arbitrary file existence disclosure in Action Pack (CVE-2014-7818)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-7818",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://puppet.com/security/cve/cve-2014-7829",
"refsource": "CONFIRM",
"url": "https://puppet.com/security/cve/cve-2014-7829"
},
{
"name": "openSUSE-SU-2014:1515",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html"
},
{
"name": "[rubyonrails-security] 20141030 Arbitrary file existence disclosure in Action Pack (CVE-2014-7818)",
"refsource": "MLIST",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-7818",
"datePublished": "2014-11-08T11:00:00.000Z",
"dateReserved": "2014-10-03T00:00:00.000Z",
"dateUpdated": "2024-08-06T13:03:27.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GSD-2014-7818
Vulnerability from gsd - Updated: 2014-10-30 00:00Details
Specially crafted requests can be used to determine whether a file exists on
the filesystem that is outside the Rails application's root directory. The
files will not be served, but attackers can determine whether or not the file
exists.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2014-7818",
"description": "Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence.",
"id": "GSD-2014-7818",
"references": [
"https://www.suse.com/security/cve/CVE-2014-7818.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "actionpack",
"purl": "pkg:gem/actionpack"
}
}
],
"aliases": [
"CVE-2014-7818"
],
"details": "Specially crafted requests can be used to determine whether a file exists on\nthe filesystem that is outside the Rails application\u0027s root directory. The\nfiles will not be served, but attackers can determine whether or not the file\nexists.\n",
"id": "GSD-2014-7818",
"modified": "2014-10-30T00:00:00.000Z",
"published": "2014-10-30T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/dCp7duBiQgo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 4.3,
"type": "CVSS_V2"
}
],
"summary": "Arbitrary file existence disclosure in Action Pack"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-7818",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://puppet.com/security/cve/cve-2014-7829",
"refsource": "CONFIRM",
"url": "https://puppet.com/security/cve/cve-2014-7829"
},
{
"name": "openSUSE-SU-2014:1515",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html"
},
{
"name": "[rubyonrails-security] 20141030 Arbitrary file existence disclosure in Action Pack (CVE-2014-7818)",
"refsource": "MLIST",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2014-7818",
"cvss_v2": 4.3,
"date": "2014-10-30",
"description": "Specially crafted requests can be used to determine whether a file exists on\nthe filesystem that is outside the Rails application\u0027s root directory. The\nfiles will not be served, but attackers can determine whether or not the file\nexists.\n",
"framework": "rails",
"gem": "actionpack",
"patched_versions": [
"~\u003e 3.2.20",
"~\u003e 4.0.11",
"~\u003e 4.1.7",
"\u003e= 4.2.0.beta3"
],
"title": "Arbitrary file existence disclosure in Action Pack",
"unaffected_versions": [
"\u003c 3.0.0"
],
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/dCp7duBiQgo"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=3.2.0a \u003c3.2.20||\u003e=4.0.0a \u003c4.0.11||\u003e=4.1.0a \u003c4.1.7||\u003e=4.2.0.a \u003c4.2.0.beta3",
"affected_versions": "All versions starting from 3.2.0a before 3.2.20, all versions starting from 4.0.0a before 4.0.11, all versions starting from 4.1.0a before 4.1.7, all versions starting from 4.2.0.a before 4.2.0.beta3",
"credit": "Eaden McKee, Dennis Hackethal \u0026 Christian Hansen of Crowdcurity, Juan C. M\u00fcller \u0026 Mike McClurg of Greenhouse.io and Alex Ianus of Coinbase",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-22",
"CWE-937"
],
"date": "2019-08-08",
"description": "Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application\u0027s root directory. The files will not be served, but attackers can determine whether the file exists. This only impacts Rails applications that enable static file serving at runtime. For example, the application\u0027s production configuration will say: `config.serve_static_assets = true`",
"fixed_versions": [
"3.2.20",
"4.0.11",
"4.1.7",
"4.2.0.beta3"
],
"identifier": "CVE-2014-7818",
"identifiers": [
"CVE-2014-7818"
],
"package_slug": "gem/actionpack",
"pubdate": "2014-11-08",
"solution": "Upgrade to latest or use workaround; see provided link.",
"title": "Arbitrary file existence disclosure",
"urls": [
"https://groups.google.com/forum/#!topic/rubyonrails-security/dCp7duBiQgo"
],
"uuid": "6333bd40-6be7-42cc-86ca-30ce81d1c799"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.16:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.17:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.15:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.18:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.19:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-7818"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[rubyonrails-security] 20141030 Arbitrary file existence disclosure in Action Pack (CVE-2014-7818)",
"refsource": "MLIST",
"tags": [],
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ"
},
{
"name": "openSUSE-SU-2014:1515",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html"
},
{
"name": "https://puppet.com/security/cve/cve-2014-7829",
"refsource": "CONFIRM",
"tags": [],
"url": "https://puppet.com/security/cve/cve-2014-7829"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2019-08-08T15:43Z",
"publishedDate": "2014-11-08T11:55Z"
}
}
}
FKIE_CVE-2014-7818
Vulnerability from fkie_nvd - Published: 2014-11-08 11:55 - Updated: 2025-04-12 10:46
Severity ?
Summary
Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "58304E17-ADFD-4686-9CCF-C1CA31843B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "0C448F62-8231-4221-ADA0-C9B848AE03D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "60255706-C44A-48CB-B98B-A1F0991CBC74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0456E2E8-EF06-414E-8A7D-8005F0EB46B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "D9EE4763-2495-4B6A-B72F-344967E51C27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "09C20971-53B5-43B0-AC45-5AA0FDF1B054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "496902D6-409A-40D9-849F-C41264BE5B04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "2482AB3F-8303-4F95-BE04-C5F06EEF2015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "244C6952-377C-4AF0-8BA2-C34516A3EB5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "98A79CC5-71EC-4E90-9E99-2DF62ABC0122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "6562F3C3-D794-4107-95D4-1C0B0486940B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F365C9E5-27DC-46C3-AFE4-4876EC7B352B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6F0016A6-0ED6-443D-B969-CB1226D8E28C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "E69470EA-5EBC-4FB9-A722-5B61C70C1140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C9AB2152-DED8-4CFD-B915-94A9F56FDD05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "C630AB60-DBAF-421E-B663-492BAE8A180F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "0F41CCF8-14EB-4327-A675-83BFDBB53196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE65D701-AA6E-48E4-B62B-C22DEE863503",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*",
"matchCriteriaId": "17B1E475-C873-4561-9348-027721C08D79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.15:rc3:*:*:*:*:*:*",
"matchCriteriaId": "6646610D-279B-4AEC-B445-981E7784EE5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.16:*:*:*:*:*:*:*",
"matchCriteriaId": "50F51980-EAD9-4E4D-A2E7-1FACFA80AAB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.17:*:*:*:*:*:*:*",
"matchCriteriaId": "CC02A7D1-CB1A-4793-86E3-CF88D0BCDF83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.18:*:*:*:*:*:*:*",
"matchCriteriaId": "A499584B-6E2E-42F3-B0CE-DA7BDD732897",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*",
"matchCriteriaId": "254884EE-EBA4-45D0-9704-B5CB22569668",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "5C913A56-959D-44F1-BD89-D246C66D1F09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5D5BA926-38EE-47BE-9D16-FDCF360A503B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "18EA25F1-279A-4F1A-883D-C064369F592E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FD794856-6F30-4ABF-8AE4-720BB75E6F89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "767C481D-6616-4CA9-9A9B-C994D9121796",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CA46B621-125E-497F-B2DE-91C989B25936",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B3239443-2E19-4540-BA0C-05A27E44CB6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*",
"matchCriteriaId": "104AC9CF-6611-4469-9852-7FDAF4EC7638",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DC9E1864-B1E5-42C3-B4AF-9A002916B66D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "31AC91AA-6A9A-43B4-B3E9-A66A34B6E612",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "A462C151-982E-4A83-A376-025015F40645",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "660C2AD2-CEC8-4391-84AF-27515A88B29E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "578CC013-776B-4868-B448-B7ACAF3AF832",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "C310EA3E-399A-48FD-8DE9-6950E328CF23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "293B2998-5169-4960-BEC4-21DAC837E32B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EAB8D57F-9849-428C-B8E9-D0A1020728BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B0359DA8-6B41-46C5-AA95-41B1B366DD4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0965BDB6-9644-465C-AA32-9278B2D53197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7F6B15CF-37C1-4C9B-8457-4A8C9A480188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*",
"matchCriteriaId": "072EB16D-1325-4869-B156-65E786A834C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "847B3C3D-8656-404D-A954-09C159EDC8E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "65CA2D50-B33C-4088-BDDF-EB964C9A092C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "CADB5989-5260-4F60-ACF2-BEB6D7F97654",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "9036E3C7-0AD5-489D-BCEE-31DFE13F5ADA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "509597D0-22E1-4BE8-95AD-C54FE4D15FA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "709A19A5-8FD1-4F9C-A38C-F06242A94D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "8104482C-E8F5-40A7-8B27-234FEF725FD0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.19:*:*:*:*:*:*:*",
"matchCriteriaId": "69702127-AB96-4FE0-9AC4-FBE7B8CA77E5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*",
"matchCriteriaId": "DFBF430B-0832-44B0-AA0E-BA9E467F7668",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*",
"matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto de directorio en actionpack/lib/action_dispatch/middleware/static.rb en Action Pack en Ruby on Rails 3.x anterior a 3.2.20, 4.0.x anterior a 4.0.11, 4.1.x anterior a 4.1.7, y 4.2.x anterior a 4.2.0.beta3, cuando serve_static_assets est\u00e1 habilitado, permite a atacantes remotos determinar la existencia de ficheros fuera del root de la aplicaci\u00f3n a trav\u00e9s de una secuencia /..%2F."
}
],
"id": "CVE-2014-7818",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-11-08T11:55:02.977",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ"
},
{
"source": "secalert@redhat.com",
"url": "https://puppet.com/security/cve/cve-2014-7829"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://puppet.com/security/cve/cve-2014-7829"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-29GR-W57F-RPFW
Vulnerability from github – Published: 2017-10-24 18:33 – Updated: 2023-08-25 19:41
VLAI?
Summary
actionpack vulnerable to Path Traversal
Details
Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "actionpack"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.2.20"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "actionpack"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.0.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "actionpack"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0"
},
{
"fixed": "4.1.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "actionpack"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0.beta1"
},
{
"fixed": "4.2.0.beta3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-7818"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T20:51:48Z",
"nvd_published_at": "2014-11-08T11:55:00Z",
"severity": "MODERATE"
},
"details": "Directory traversal vulnerability in `actionpack/lib/action_dispatch/middleware/static.rb` in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when `serve_static_assets` is enabled, allows remote attackers to determine the existence of files outside the application root via a `/..%2F` sequence.",
"id": "GHSA-29gr-w57f-rpfw",
"modified": "2023-08-25T19:41:02Z",
"published": "2017-10-24T18:33:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-7818"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-29gr-w57f-rpfw"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-7818.yml"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/dCp7duBiQgo"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ"
},
{
"type": "WEB",
"url": "https://puppet.com/security/cve/cve-2014-7829"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "actionpack vulnerable to Path Traversal"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…