Arbitrary File Existence Exposure Affecting actionpack package, versions >=4.2.0.beta1, <4.2.0.beta3 >=4.1.0, <4.1.7 >=3.3.0, <4.0.11 >=3.0.0, <3.2.20
Threat Intelligence
EPSS
0.46% (76th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-ACTIONPACK-20198
- published 29 Oct 2014
- disclosed 29 Oct 2014
- credit Eaden McKee, Dennis Hackethal, Christian Hansen, Juan C. Müller, Mike McClurg, Alex Ianus
Introduced: 29 Oct 2014
CVE-2014-7818 Open this link in a new tabHow to fix?
Upgrade actionpack to versions 3.0.0, 3.2.20, 4.0.11, 4.1.7, 4.2.0.beta3 or higher.
Overview
actionpack is a web app builder and tester on Rails.
Affected versions of this Gem are vulnerable to Arbitrary File Existence Exposure. Specially crafted requests can be used to determine whether a file exists on the file system, outside of the Rails application's root directory. The files will not be served, but attackers can determine whether or not the file exists.
References
CVSS Scores
version 3.1