CVE-2014-7818 (Medium) detected in actionpack-4.1.0.gem

[mend-bolt-for-github]

CVE-2014-7818 - Medium Severity Vulnerability

Vulnerable Library - actionpack-4.1.0.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-4.1.0.gem

Path to dependency file: /tmp/ws-scm/app1/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.5.0/cache/actionpack-4.1.0.gem

Dependency Hierarchy:

• sass-rails-4.0.3.gem (Root Library)
  • railties-4.1.0.gem
    • ❌ actionpack-4.1.0.gem (Vulnerable Library)

Found in HEAD commit: 9d946faa10e3050193fb56220287f7565773de83

Vulnerability Details

Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence.

Publish Date: 2014-11-08

URL: CVE-2014-7818

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-7818

Release Date: 2014-11-08

Fix Resolution: 3.2.20,4.0.11,4.1.7,4.2.0.beta3