CVE-2014-7819

Name of the Vulnerable Software and Affected Versions Sprockets versions prior to 2.0.5 Sprockets versions 2.1.x prior to 2.1.4 Sprockets versions 2.2.x prior to 2.2.3 Sprockets versions 2.3.x prior to 2.3.3 Sprockets versions 2.4.x prior to 2.4.6 Sprockets versions 2.5.x prior to 2.5.1 Sprockets versions 2.6.x and 2.7.x prior to 2.7.1 Sprockets versions 2.8.x prior to 2.8.3 Sprockets versions 2.9.x prior to 2.9.4 Sprockets versions 2.10.x prior to 2.10.2 Sprockets versions 2.11.x prior to 2.11.3 Sprockets versions 2.12.x prior to 2.12.3 Sprockets versions 3.x prior to 3.0.0.beta.3

Description Multiple directory traversal vulnerabilities in server.rb in Sprockets allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding. This issue affects Sprockets as distributed with Ruby on Rails 3.x and 4.x.

Recommendations For Sprockets version prior to 2.0.5, update to version 2.0.5 or later. For Sprockets version 2.1.x prior to 2.1.4, update to version 2.1.4 or later. For Sprockets version 2.2.x prior to 2.2.3, update to version 2.2.3 or later. For Sprockets version 2.3.x prior to 2.3.3, update to version 2.3.3 or later. For Sprockets version 2.4.x prior to 2.4.6, update to version 2.4.6 or later. For Sprockets version 2.5.x prior to 2.5.1, update to version 2.5.1 or later. For Sprockets version 2.6.x and 2.7.x prior to 2.7.1, update to version 2.7.1 or later. For Sprockets version 2.8.x prior to 2.8.3, update to version 2.8.3 or later. For Sprockets version 2.9.x prior to 2.9.4, update to version 2.9.4 or later. For Sprockets version 2.10.x prior to 2.10.2, update to version 2.10.2 or later. For Sprockets version 2.11.x prior to 2.11.3, update to version 2.11.3 or later. For Sprockets version 2.12.x prior to 2.12.3, update to version 2.12.3 or later. For Sprockets version 3.x prior to 3.0.0.beta.3, update to version 3.0.0.beta.3 or later.