PT-2014-8290 · Ruby On Rails · Action Pack
Publicado
2014-11-08
·
Atualizado
2019-08-08
·
CVE-2014-7818
CVSS v2.0
4.3
Média
| Vetor | AV:N/AC:M/Au:N/C:P/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Action Pack versions 3.x through 3.2.19
Action Pack versions 4.0.x through 4.0.10
Action Pack versions 4.1.x through 4.1.6
Action Pack versions 4.2.x through 4.2.0.beta2
Description
The issue allows remote attackers to determine the existence of files outside the application root via a
/..%2F sequence when serve static assets is enabled. This is a directory traversal vulnerability in actionpack/lib/action dispatch/middleware/static.rb in Action Pack in Ruby on Rails.Recommendations
For Action Pack versions 3.x through 3.2.19, update to version 3.2.20 or later.
For Action Pack versions 4.0.x through 4.0.10, update to version 4.0.11 or later.
For Action Pack versions 4.1.x through 4.1.6, update to version 4.1.7 or later.
For Action Pack versions 4.2.x through 4.2.0.beta2, update to version 4.2.0.beta3 or later.
As a temporary workaround, consider disabling the
serve static assets option until a patch is available.Exploit
Correção
Path traversal
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Action Pack