<p>Upgrade <code>actionpack</code> to versions 3.0.0, 3.2.21, 4.0.11.1, 4.0.12, 4.1.7.1, 4.1.8 or higher.</p>

= 3.0.0

Threat Intelligence

0.53% (78^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-RUBY-ACTIONPACK-20200
published 16 Nov 2014
disclosed 16 Nov 2014
credit Patrick Toomey, Remon Oldenbeuving

Report a new vulnerability Found a mistake?

Introduced: 16 Nov 2014

CVE-2014-7829 Open this link in a new tab CWE-200 Open this link in a new tab

How to fix?

Upgrade actionpack to versions 3.0.0, 3.2.21, 4.0.11.1, 4.0.12, 4.1.7.1, 4.1.8 or higher.

Overview

actionpack is a web app builder and tester on Rails.

Affected versions of this Gem are vulnerable to Arbitrary File Existence Exposure. Specially crafted requests can be used to determine whether a file exists on the file system, outside of the Rails application's root directory. The files will not be served, but attackers can determine whether or not the file exists.

References

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Privileges Required (PR)

None
User Interaction (UI)

None

Scope (S)

Unchanged

Confidentiality (C)

Low
Integrity (I)

None
Availability (A)

None

Arbitrary File Existence Exposure Affecting actionpack package, versions < 4.1.7.1, >= 4.1 < 4.0.11.1, >= 3.3 < 3.2.21, >= 3.0.0

Severity

CVSS assessment made by Snyk's Security Team