Arbitrary File Existence Exposure Affecting actionpack package, versions < 4.1.7.1, >= 4.1 < 4.0.11.1, >= 3.3 < 3.2.21, >= 3.0.0


0.0
medium

Snyk CVSS

    Attack Complexity Low

    Threat Intelligence

    EPSS 0.53% (77th percentile)
Expand this section
NVD
5.3 medium
Expand this section
Red Hat
5.3 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-ACTIONPACK-20200
  • published 16 Nov 2014
  • disclosed 16 Nov 2014
  • credit Patrick Toomey, Remon Oldenbeuving

How to fix?

Upgrade actionpack to versions 3.0.0, 3.2.21, 4.0.11.1, 4.0.12, 4.1.7.1, 4.1.8 or higher.

Overview

actionpack is a web app builder and tester on Rails.

Affected versions of this Gem are vulnerable to Arbitrary File Existence Exposure. Specially crafted requests can be used to determine whether a file exists on the file system, outside of the Rails application's root directory. The files will not be served, but attackers can determine whether or not the file exists.