Vulnerability CVE-2014-7818 - CERT Civis.Net

Vulnerability Name:

CVE-2014-7818 (CCN-98414)

Assigned:

2014-10-30

Published:

2014-10-30

Updated:

2019-08-08

Summary:

Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2014-7818

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2014:1515

Source: CCN
Type: oss-security Mailing List, Thu, 30 Oct 2014 11:47:39 -0700
Arbitrary file existence disclosure in Action Pack (CVE-2014-7818)

Source: CCN
Type: BID-70789
Ruby on Rails Action Pack Component CVE-2014-7818 Information Disclosure Vulnerability

Source: XF
Type: UNKNOWN
actionpack-cve20147818-info-disc(98414)

Source: MLIST
Type: UNKNOWN
[rubyonrails-security] 20141030 Arbitrary file existence disclosure in Action Pack (CVE-2014-7818)

Source: CONFIRM
Type: UNKNOWN
https://puppet.com/security/cve/cve-2014-7829

Source: CCN
Type: RubyGems Web site
actionpack

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2014-7818

Vulnerable Configuration:

Configuration 1:

cpe:/a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.1:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.2:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.15:rc3:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.16:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.17:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.18:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.10:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.4:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:ruby_on_rails:3.2.19:*:*:*:*:*:*:*

Configuration 2:

cpe:/o:opensuse:opensuse:12.3:*:*:*:*:*:*:*

OR cpe:/o:opensuse:opensuse:13.1:*:*:*:*:*:*:*

OR cpe:/o:opensuse:opensuse:13.2:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20147818	V	CVE-2014-7818	2022-06-30
oval:org.opensuse.security:def:7	P	apr-util-devel-1.6.1-16.43 on GA media (Moderate)	2022-06-13
oval:org.opensuse.security:def:20	P	bubblewrap-0.4.1-1.16 on GA media (Moderate)	2022-06-13
oval:org.opensuse.security:def:113352	P	ruby2.2-rubygem-actionpack-4_2-4.2.7.1-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:106759	P	Security update for log4j (Important)	2021-12-17
oval:org.opensuse.security:def:26181	P	Security update for mozilla-nss (Important)	2021-12-06
oval:org.opensuse.security:def:55254	P	Security update for webkit2gtk3 (Important)	2021-10-06
oval:org.opensuse.security:def:26117	P	Security update for xen (Important)	2021-09-02
oval:org.opensuse.security:def:67543	P	Security update for openssl-1_0_0 (Important)	2021-08-24
oval:org.opensuse.security:def:55937	P	Security update for java-1_8_0-openjdk (Important)	2021-08-20
oval:org.opensuse.security:def:26106	P	Security update for libmspack (Moderate)	2021-08-17
oval:org.opensuse.security:def:26105	P	Security update for MozillaFirefox (Important)	2021-08-17
oval:org.opensuse.security:def:36556	P	rubygem-actionpack-3_2-3.2.12-0.19.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:70896	P	elfutils-0.168-2.164 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:70783	P	Security update for libwebp (Critical)	2021-06-04
oval:org.opensuse.security:def:55771	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:96505	P	ruby2.5-rubygem-actionpack-5_1-5.1.4-3.3.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:103195	P	ruby2.5-rubygem-actionpack-5_1-5.1.4-3.3.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:89540	P	ruby2.5-rubygem-actionpack-5_1-5.1.4-3.3.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:55492	P	Security update for libksba (Moderate)	2020-12-01
oval:org.opensuse.security:def:64196	P	ruby2.5-rubygem-actionpack-5_1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56615	P	Security update for postgresql10 (Moderate)	2020-12-01
oval:org.opensuse.security:def:26784	P	mono-core on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:67443	P	Security update for SUSE Manager Proxy 4.1 (Moderate)	2020-12-01
oval:org.opensuse.security:def:26837	P	vte on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56222	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:26390	P	Security update for ark (Low)	2020-12-01
oval:org.opensuse.security:def:55092	P	dia on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56422	P	Security update for poppler (Moderate)	2020-12-01
oval:org.opensuse.security:def:26531	P	coolkey on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56534	P	Security update for libvpx (Moderate)	2020-12-01
oval:org.opensuse.security:def:26735	P	libMagickCore1-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:55665	P	Security update for libpng16 (Moderate)	2020-12-01
oval:org.opensuse.security:def:27519	P	nagios on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26823	P	star on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26309	P	Security update for haproxy (Important)	2020-12-01
oval:org.opensuse.security:def:55091	P	dhcp on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27554	P	rubygem-actionpack-3_2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26881	P	dbus-1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56330	P	Security update for gd (Moderate)	2020-12-01
oval:org.opensuse.security:def:26447	P	Security update for pdns (Important)	2020-12-01
oval:org.opensuse.security:def:55114	P	gdk-pixbuf-lang on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:64109	P	Security update for bluez (Important)	2020-12-01
oval:org.opensuse.security:def:56496	P	Security update for binutils (Moderate)	2020-12-01
oval:org.opensuse.security:def:26682	P	cyrus-imapd on GA media (Moderate)	2020-12-01
oval:com.ubuntu.cosmic:def:201478180000000	V	CVE-2014-7818 on Ubuntu 18.10 (cosmic) - low.	2014-11-08
oval:com.ubuntu.artful:def:20147818000	V	CVE-2014-7818 on Ubuntu 17.10 (artful) - low.	2014-11-08
oval:com.ubuntu.trusty:def:20147818000	V	CVE-2014-7818 on Ubuntu 14.04 LTS (trusty) - low.	2014-11-08
oval:com.ubuntu.bionic:def:201478180000000	V	CVE-2014-7818 on Ubuntu 18.04 LTS (bionic) - low.	2014-11-08
oval:com.ubuntu.bionic:def:20147818000	V	CVE-2014-7818 on Ubuntu 18.04 LTS (bionic) - low.	2014-11-08
oval:com.ubuntu.xenial:def:20147818000	V	CVE-2014-7818 on Ubuntu 16.04 LTS (xenial) - low.	2014-11-08
oval:com.ubuntu.xenial:def:201478180000000	V	CVE-2014-7818 on Ubuntu 16.04 LTS (xenial) - low.	2014-11-08
oval:com.ubuntu.cosmic:def:20147818000	V	CVE-2014-7818 on Ubuntu 18.10 (cosmic) - low.	2014-11-08
oval:com.ubuntu.precise:def:20147818000	V	CVE-2014-7818 on Ubuntu 12.04 LTS (precise) - low.	2014-11-08