Arbitrary file existence disclosure in Action Pack

Metadata

medium
5.0
actionpack
CVE-2014-7829
groups.google.com
2014-11-17
2017-06-16 19:12
CVE-2014-7829 ruby-actionpack-2.3
CVE-2014-7829 ruby-actionpack-3.2
CVE-2014-7829 rails
CVE-2014-7829
2017-04-01 19:10
2017-01-05 20:15

Description

Specially crafted requests can be used to determine whether a file exists on
the filesystem that is outside the Rails application's root directory. The
files will not be served, but attackers can determine whether or not the file
exists. This vulnerability is very similar to CVE-2014-7818, but the
specially crafted string is slightly different.

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Package Patched in Unaffected in
actionpack ~> 3.2.21,~> 4.0.11.1,~> 4.0.12,~> 4.1.7.1,>= 4.1.8 < 3.0.0