CVE-2014-7829 (Medium) detected in actionpack-4.1.0.gem #25
Description
CVE-2014-7829 - Medium Severity Vulnerability
Vulnerable Library - actionpack-4.1.0.gem
Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.
Library home page: https://rubygems.org/gems/actionpack-4.1.0.gem
Path to dependency file: /tmp/ws-scm/app1/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.5.0/cache/actionpack-4.1.0.gem
Dependency Hierarchy:
- sass-rails-4.0.3.gem (Root Library)
- railties-4.1.0.gem
- ❌ actionpack-4.1.0.gem (Vulnerable Library)
- railties-4.1.0.gem
Found in HEAD commit: 9d946faa10e3050193fb56220287f7565773de83
Vulnerability Details
Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a \ (backslash) character, a similar issue to CVE-2014-7818.
Publish Date: 2014-11-18
URL: CVE-2014-7829
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-7829
Release Date: 2014-11-18
Fix Resolution: 3.2.21,4.0.12,4.1.8,4.2.0.beta4