Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request.
References
Link | Resource |
---|---|
http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf | Broken Link Technical Description |
http://rhn.redhat.com/errata/RHSA-2014-1863.html | Third Party Advisory |
http://www.securityfocus.com/bid/67244 | Broken Link Third Party Advisory VDB Entry |
https://groups.google.com/forum/message/raw?msg=rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ | Broken Link Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
16 Jul 2024, 17:57
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 4.3
v3 : 7.5 |
CPE | cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:3.2.15:rc3:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:* cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:3.2.16:*:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:* |
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:* |
First Time |
Redhat enterprise Linux Server
|
|
References | () http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf - Broken Link, Technical Description | |
References | () http://www.securityfocus.com/bid/67244 - Broken Link, Third Party Advisory, VDB Entry | |
References | () https://groups.google.com/forum/message/raw?msg=rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ - Broken Link, Third Party Advisory |
Information
Published : 2014-05-07 10:55
Updated : 2024-07-16 17:57
NVD link : CVE-2014-0130
Mitre link : CVE-2014-0130
CVE.ORG link : CVE-2014-0130
JSON object : View
Products Affected
redhat
- enterprise_linux_server
- subscription_asset_manager
rubyonrails
- rails
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')