Vulnerability Name: CVE-2014-7829 (CCN-98732) Assigned: 2014-11-17 Published: 2014-11-17 Updated: 2019-08-08 Summary: Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a \ (backslash) character, a similar issue to CVE-2014-7818 . CVSS v3 Severity: 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N )Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): LowIntegrity (I): NoneAvailibility (A): None
CVSS v2 Severity: 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N )3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): NoneAvailibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N )3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): NoneAvailibility (A): None
Vulnerability Type: CWE-22 Vulnerability Consequences: Obtain Information References: Source: MITRE Type: CNACVE-2014-7829 Source: SUSE Type: UNKNOWNopenSUSE-SU-2014:1515 Source: CCN Type: oss-security Mailing List, Mon, 17 Nov 2014 08:10:10 -0800[CVE-2014-7829] Arbitrary file existence disclosure in Action Pack Source: CCN Type: Ruby on Rails Web SiteRails 3.2.21, 4.0.12, and 4.1.8 have been released Source: CCN Type: IBM Security Bulletin 1702788IBM License Metric Tool v9 is vulnerable to two attacks on Ruby on Rails component - CVE-2014-0130, CVE-2014-7829 Source: CCN Type: IBM Security Bulletin 1882702IBM Endpoint Manager for Software Use Analysis v9 and v2.2 are vulnerable to two attacks on Ruby on Rails component - CVE-2014-0130, CVE-2014-7829 Source: CCN Type: IBM Security Bulletin 1903644 Vulnerability in Ruby on Rails affects IBM Endpoint Manager for Security Configuration Management (CVE-2014-7829) Source: BID Type: UNKNOWN71183 Source: CCN Type: BID-71183Ruby on Rails Action Pack Comp CVE-2014-7829 Incomplete Fix Information Disclosure Vulnerability Source: XF Type: UNKNOWNrubyonrails-cve20147829-info-disc(98732) Source: MLIST Type: Exploit[rubyonrails-security] 20141117 [CVE-2014-7829] Arbitrary file existence disclosure in Action Pack Source: CONFIRM Type: UNKNOWNhttps://puppet.com/security/cve/cve-2014-7829 Source: CCN Type: WhiteSource Vulnerability DatabaseCVE-2014-7829 Vulnerable Configuration: Configuration 1 :cpe:/o:opensuse:opensuse:12.3:*:*:*:*:*:*:* OR cpe:/o:opensuse:opensuse:13.1:*:*:*:*:*:*:* OR cpe:/o:opensuse:opensuse:13.2:*:*:*:*:*:*:* Configuration 2 :cpe:/a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.1:-:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.2:-:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.2.15:rc3:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.2.16:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.2.17:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.2.18:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.0.10:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:* OR cpe:/a:rubyonrails:rails:3.0.4:-:*:*:*:*:*:* OR cpe:/a:rubyonrails:ruby_on_rails:3.2.19:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:ruby_on_rails:3.2.20:*:*:*:*:*:*:* OR cpe:/a:rubyonrails:ruby_on_rails:4.0.11:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:rubyonrails:rails:3.0.0:-:*:*:*:*:*:* AND cpe:/a:ibm:license_metric_tool:9.0:*:*:*:*:*:*:* OR cpe:/a:ibm:license_metric_tool:9.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:license_metric_tool:9.1:*:*:*:*:*:*:* Denotes that component is vulnerable Oval Definitions BACK
opensuse opensuse 12.3
opensuse opensuse 13.1
opensuse opensuse 13.2
rubyonrails rails 3.0.0
rubyonrails rails 3.0.0 beta
rubyonrails rails 3.0.0 beta2
rubyonrails rails 3.0.0 beta3
rubyonrails rails 3.0.0 beta4
rubyonrails rails 3.0.0 rc
rubyonrails rails 3.0.0 rc2
rubyonrails rails 3.0.1
rubyonrails rails 3.0.1 pre
rubyonrails rails 3.0.2
rubyonrails rails 3.0.2 pre
rubyonrails rails 3.0.3
rubyonrails rails 3.0.4 rc1
rubyonrails rails 3.0.5
rubyonrails rails 3.0.5 rc1
rubyonrails rails 3.0.6
rubyonrails rails 3.0.6 rc1
rubyonrails rails 3.0.6 rc2
rubyonrails rails 3.0.7
rubyonrails rails 3.0.7 rc1
rubyonrails rails 3.0.7 rc2
rubyonrails rails 3.0.8
rubyonrails rails 3.0.8 rc1
rubyonrails rails 3.0.8 rc2
rubyonrails rails 3.0.8 rc3
rubyonrails rails 3.0.8 rc4
rubyonrails rails 3.0.9
rubyonrails rails 3.0.9 rc1
rubyonrails rails 3.0.9 rc2
rubyonrails rails 3.0.9 rc3
rubyonrails rails 3.0.9 rc4
rubyonrails rails 3.0.9 rc5
rubyonrails rails 3.0.10
rubyonrails rails 3.0.10 rc1
rubyonrails rails 3.0.11
rubyonrails rails 3.0.12
rubyonrails rails 3.0.12 rc1
rubyonrails rails 3.0.13
rubyonrails rails 3.0.13 rc1
rubyonrails rails 3.0.14
rubyonrails rails 3.0.16
rubyonrails rails 3.0.17
rubyonrails rails 3.0.18
rubyonrails rails 3.0.19
rubyonrails rails 3.0.20
rubyonrails rails 3.1.0
rubyonrails rails 3.1.0 beta1
rubyonrails rails 3.1.0 rc1
rubyonrails rails 3.1.0 rc2
rubyonrails rails 3.1.0 rc3
rubyonrails rails 3.1.0 rc4
rubyonrails rails 3.1.0 rc5
rubyonrails rails 3.1.0 rc6
rubyonrails rails 3.1.0 rc7
rubyonrails rails 3.1.0 rc8
rubyonrails rails 3.1.1
rubyonrails rails 3.1.1 rc1
rubyonrails rails 3.1.1 rc2
rubyonrails rails 3.1.1 rc3
rubyonrails rails 3.1.2
rubyonrails rails 3.1.2 rc1
rubyonrails rails 3.1.2 rc2
rubyonrails rails 3.1.3
rubyonrails rails 3.1.4
rubyonrails rails 3.1.4 rc1
rubyonrails rails 3.1.5
rubyonrails rails 3.1.5 rc1
rubyonrails rails 3.1.6
rubyonrails rails 3.1.7
rubyonrails rails 3.1.8
rubyonrails rails 3.1.9
rubyonrails rails 3.1.10
rubyonrails rails 3.2.0
rubyonrails rails 3.2.0 rc1
rubyonrails rails 3.2.0 rc2
rubyonrails rails 3.2.1
rubyonrails rails 3.2.2
rubyonrails rails 3.2.2 rc1
rubyonrails rails 3.2.3
rubyonrails rails 3.2.3 rc1
rubyonrails rails 3.2.3 rc2
rubyonrails rails 3.2.4
rubyonrails rails 3.2.4 rc1
rubyonrails rails 3.2.5
rubyonrails rails 3.2.6
rubyonrails rails 3.2.7
rubyonrails rails 3.2.8
rubyonrails rails 3.2.10
rubyonrails rails 3.2.11
rubyonrails rails 3.2.12
rubyonrails rails 3.2.13 rc1
rubyonrails rails 3.2.13 rc2
rubyonrails rails 3.2.15 rc3
rubyonrails rails 3.2.16
rubyonrails rails 3.2.17
rubyonrails rails 3.2.18
rubyonrails rails 4.0.0 -
rubyonrails rails 4.0.0 beta
rubyonrails rails 4.0.0 rc1
rubyonrails rails 4.0.0 rc2
rubyonrails rails 4.0.1 -
rubyonrails rails 4.0.1 rc1
rubyonrails rails 4.0.1 rc2
rubyonrails rails 4.0.1 rc3
rubyonrails rails 4.0.1 rc4
rubyonrails rails 4.0.2
rubyonrails rails 4.0.3
rubyonrails rails 4.0.4
rubyonrails rails 4.0.5
rubyonrails rails 4.0.6
rubyonrails rails 4.0.6 rc1
rubyonrails rails 4.0.6 rc2
rubyonrails rails 4.0.6 rc3
rubyonrails rails 4.0.7
rubyonrails rails 4.0.8
rubyonrails rails 4.0.9
rubyonrails rails 4.0.10
rubyonrails rails 4.0.10 rc1
rubyonrails rails 4.1.0 -
rubyonrails rails 4.1.0 beta1
rubyonrails rails 4.1.1
rubyonrails rails 4.1.2
rubyonrails rails 4.1.2 rc1
rubyonrails rails 4.1.2 rc2
rubyonrails rails 4.1.2 rc3
rubyonrails rails 4.1.3
rubyonrails rails 4.1.4
rubyonrails rails 4.1.5
rubyonrails rails 4.1.6
rubyonrails rails 4.1.6 rc1
rubyonrails rails 4.1.7
rubyonrails rails 4.2.0 beta1
rubyonrails rails 4.2.0 beta2
rubyonrails rails 4.2.0 beta3
rubyonrails ruby on rails 3.0.4
rubyonrails ruby on rails 3.2.19
rubyonrails ruby on rails 3.2.20
rubyonrails ruby on rails 4.0.11
rubyonrails ruby on rails 3.0
ibm license metric tool 9.0
ibm license metric tool 9.0.1
ibm license metric tool 9.1