RubySec

Providing security resources for the Ruby community

CVE-2014-0130 (actionpack): Directory Traversal Vulnerability With Certain Route Configurations

ADVISORIES

GEM

actionpack

FRAMEWORK

rails

SEVERITY

CVSS v2: 4.3 (Medium)

PATCHED VERSIONS

  • ~> 3.2.18
  • ~> 4.0.5
  • >= 4.1.1

DESCRIPTION

There is a vulnerability in the ‘implicit render’ functionality in Ruby on Rails.The implicit render functionality allows controllers to render a template, even if there is no explicit action with the corresponding name. This module does not perform adequate input sanitization which could allow an attacker to use a specially crafted request to retrieve arbitrary files from the rails application server.