RubySec

Providing security resources for the Ruby community

CVE-2014-7819 (sprockets): Arbitrary file existence disclosure in Sprockets

ADVISORIES

GEM

sprockets

SEVERITY

CVSS v2: 5.0

PATCHED VERSIONS

  • ~> 2.0.5
  • ~> 2.1.4
  • ~> 2.2.3
  • ~> 2.3.3
  • ~> 2.4.6
  • ~> 2.5.1
  • ~> 2.7.1
  • ~> 2.8.3
  • ~> 2.9.4
  • ~> 2.10.2
  • ~> 2.11.3
  • ~> 2.12.3
  • >= 3.0.0.beta.3

DESCRIPTION

Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside an application’s root directory. The files will not be served, but attackers can determine whether or not the file exists.