Multiple directory traversal vulnerabilities in server.rb in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding.
References
| Link | Resource |
|---|---|
| http://lists.opensuse.org/opensuse-updates/2014-11/msg00103.html | Mailing List Third Party Advisory |
| http://lists.opensuse.org/opensuse-updates/2014-11/msg00105.html | Mailing List Third Party Advisory |
| http://lists.opensuse.org/opensuse-updates/2014-11/msg00110.html | Mailing List Third Party Advisory |
| http://lists.opensuse.org/opensuse-updates/2014-11/msg00111.html | Mailing List Third Party Advisory |
| https://groups.google.com/forum/message/raw?msg=rubyonrails-security/doAVp0YaTqY/aHFngBqNBoAJ | Third Party Advisory |
| https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wQBeGXqGs3E/JqUMB6fhh3gJ | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
No history.
Information
Published : 2014-11-08 11:55
Updated : 2024-02-04 18:35
NVD link : CVE-2014-7819
Mitre link : CVE-2014-7819
CVE.ORG link : CVE-2014-7819
JSON object : View
Products Affected
sprockets_project
- sprockets
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')