PT-2014-8290 · Ruby On Rails · Action Pack
Published
2014-11-08
·
Updated
2019-08-08
·
CVE-2014-7818
CVSS v2.0
4.3
Medium
| Vector | AV:N/AC:M/Au:N/C:P/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Action Pack versions 3.x through 3.2.19
Action Pack versions 4.0.x through 4.0.10
Action Pack versions 4.1.x through 4.1.6
Action Pack versions 4.2.x through 4.2.0.beta2
Description
The issue allows remote attackers to determine the existence of files outside the application root via a
/..%2F sequence when serve static assets is enabled. This is a directory traversal vulnerability in actionpack/lib/action dispatch/middleware/static.rb in Action Pack in Ruby on Rails.Recommendations
For Action Pack versions 3.x through 3.2.19, update to version 3.2.20 or later.
For Action Pack versions 4.0.x through 4.0.10, update to version 4.0.11 or later.
For Action Pack versions 4.1.x through 4.1.6, update to version 4.1.7 or later.
For Action Pack versions 4.2.x through 4.2.0.beta2, update to version 4.2.0.beta3 or later.
As a temporary workaround, consider disabling the
serve static assets option until a patch is available.Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Action Pack