RubySec

Providing security resources for the Ruby community

CVE-2014-7818 (actionpack): Arbitrary file existence disclosure in Action Pack

ADVISORIES

GEM

actionpack

FRAMEWORK

Ruby on Rails

SEVERITY

CVSS v2.0: 4.3 (Medium)

UNAFFECTED VERSIONS

  • < 3.0.0

PATCHED VERSIONS

  • ~> 3.2.20
  • ~> 4.0.11
  • ~> 4.1.7
  • >= 4.2.0.beta3

DESCRIPTION

Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application's root directory. The files will not be served, but attackers can determine whether or not the file exists.