CVE-2014-7829

Name of the Vulnerable Software and Affected Versions Action Pack in Ruby on Rails versions 3.x through 3.2.20 Action Pack in Ruby on Rails versions 4.0.x through 4.0.11 Action Pack in Ruby on Rails versions 4.1.x through 4.1.7 Action Pack in Ruby on Rails versions 4.2.x through 4.2.0.beta3

Description A directory traversal vulnerability exists in the actionpack/lib/action dispatch/middleware/static.rb file in Action Pack in Ruby on Rails. This issue allows remote attackers to determine the existence of files outside the application root via vectors involving a /..%2F sequence or a (backslash) character when serve static assets is enabled.

Recommendations For Action Pack in Ruby on Rails versions 3.x through 3.2.20, update to version 3.2.21 or later. For Action Pack in Ruby on Rails versions 4.0.x through 4.0.11, update to version 4.0.12 or later. For Action Pack in Ruby on Rails versions 4.1.x through 4.1.7, update to version 4.1.8 or later. For Action Pack in Ruby on Rails versions 4.2.x through 4.2.0.beta3, update to version 4.2.0.beta4 or later. As a temporary workaround, consider disabling the serve static assets option until a patch is available.