Directory Traversal Vulnerability in Action Pack of Ruby on Rails
CVE-2014-7818

Currently unrated

Key Information:

Vendor: Rubyonrails
Status: Ruby On Rails; Rails
Vendor: CVE Published:; 8 November 2014

🔔 Create Rubyonrails Vulnerability Alert

What is CVE-2014-7818?

A directory traversal vulnerability exists in the Action Pack component of Ruby on Rails, specifically within the middleware handling static assets. When the serve_static_assets feature is enabled, remote attackers can exploit this vulnerability to reveal the existence of files outside the application’s root directory by utilizing a crafted request containing a /..%2F sequence. This poses a serious threat as it can lead to unauthorized information disclosure, potentially allowing attackers to access sensitive files and configurations stored on the server.

References

https://puppet.com/security/cve/cve-2014-7829

x_refsource_CONFIRM

http://lists.opensuse.org/opensuse-updates/2014-11/msg001...

vendor-advisoryx_refsource_SUSE

https://groups.google.com/forum/message/raw?msg=rubyonrai...

mailing-listx_refsource_MLIST

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 8, 2014
Vulnerability Reserved
Oct 3, 2014