ADVISORIES
GEM
FRAMEWORK
SEVERITY
CVSS v2.0: 5.0 (Medium)
UNAFFECTED VERSIONS
- < 3.0.0
PATCHED VERSIONS
- ~> 3.2.21
- ~> 4.0.11.1
- ~> 4.0.12
- ~> 4.1.7.1
- >= 4.1.8
DESCRIPTION
Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application’s root directory. The files will not be served, but attackers can determine whether or not the file exists. This vulnerability is very similar to CVE-2014-7818, but the specially crafted string is slightly different.