Tobias Kraze

**Name of the Vulnerable Software and Affected Versions** Ruby on Rails versions 3.2.22.1 and earlier Ruby on Rails versions 4.1.14.1 and earlier **Description** A directory traversal issue in Action View allows remote attackers to read arbitrary files by providing a .. (dot dot) in a pathname, leveraging an application's unrestricted use of the render method. **Recommendations** For Ruby on Rails versions 3.2.22.1 and earlier, update to version 3.2.22.2 or later. For Ruby on Rails versions 4.1.14.1 and earlier, update to version 4.1.14.2 or later.

**Name of the Vulnerable Software and Affected Versions** Ruby on Rails versions prior to 2.3.17 Ruby on Rails versions 3.x prior to 3.1.0 **Description** The issue allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the `serialize` helper to deserialize arbitrary YAML. **Recommendations** For Ruby on Rails versions prior to 2.3.17, update to version 2.3.17 or later. For Ruby on Rails versions 3.x prior to 3.1.0, update to version 3.1.0 or later.