CVE-2014-7819

Multiple directory traversal vulnerabilities in server.rb in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding.

Published: Nov 8, 2014
Updated: May 9, 2024
CVE: CVE-2014-7819
GHSA: GHSA-33pp-3763-mrfp
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
sprockets_project / sprockets	2.6.0	2.6.0.x
sprockets_project / sprockets	2.0.0	2.0.5
sprockets_project / sprockets	2.1.0	2.1.4
sprockets_project / sprockets	2.2.0	2.2.3
sprockets_project / sprockets	2.3.0	2.3.3
sprockets_project / sprockets	2.4.0	2.4.6
sprockets_project / sprockets	2.5.0	2.5.1
sprockets_project / sprockets	2.7.0	2.7.1
sprockets_project / sprockets	2.8.0	2.8.3
sprockets_project / sprockets	2.9.0	2.9.4
sprockets_project / sprockets	2.10.0	2.10.2
sprockets_project / sprockets	2.11.0	2.11.3
sprockets_project / sprockets	2.12.0	2.12.3
sprockets_project / sprockets	3.0.0-beta1	3.0.0-beta1.x
sprockets_project / sprockets	3.0.0-beta2	3.0.0-beta2.x
sprockets	-	2.0.5
sprockets	2.1.0	2.1.4
sprockets	2.2.0	2.2.3
sprockets	2.3.0	2.3.3
sprockets	2.4.0	2.4.6
sprockets	2.5.0	2.5.1
sprockets	2.6.0	2.7.1
sprockets	2.8.0	2.8.3
sprockets	2.9.0	2.9.4
sprockets	2.10.0	2.10.2
sprockets	2.11.0	2.11.3
sprockets	2.12.0	2.12.3

Vulnerability Database

289,784

CVE-2014-7819