Directory Traversal Vulnerability With Certain Route Configurations

Metadata

medium
4.3
actionpack
CVE-2014-0130
groups.google.com
2014-05-06
2017-06-16 19:08
Moderate: ruby193-rubygem-actionpack SCL Security Update
CVE-2014-0130 ruby-actionpack-3.2
CVE-2014-0130 ruby-actionpack-2.3
CVE-2014-0130
2017-04-01 19:10
2017-01-05 20:15

Description

There is a vulnerability in the 'implicit render'
functionality in Ruby on Rails.The implicit render functionality
allows controllers to render a template, even if there is no
explicit action with the corresponding name. This module does not
perform adequate input sanitization which could allow an attacker to
use a specially crafted request to retrieve arbitrary files from the
rails application server.

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Package Patched in Unaffected in
actionpack ~> 3.2.18,~> 4.0.5,>= 4.1.1 None