Arbitrary File Existence Exposure Affecting actionpack package, versions >=4.2.0.beta1, <4.2.0.beta3 >=4.1.0, <4.1.7 >=3.3.0, <4.0.11 >=3.0.0, <3.2.20
Snyk CVSS
Attack Complexity
Low
User Interaction
Required
Threat Intelligence
EPSS
0.46% (75th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-ACTIONPACK-20198
- published 29 Oct 2014
- disclosed 29 Oct 2014
- credit Eaden McKee, Dennis Hackethal, Christian Hansen, Juan C. Müller, Mike McClurg, Alex Ianus
Introduced: 29 Oct 2014
CVE-2014-7818 Open this link in a new tabHow to fix?
Upgrade actionpack
to versions 3.0.0, 3.2.20, 4.0.11, 4.1.7, 4.2.0.beta3 or higher.
Overview
actionpack
is a web app builder and tester on Rails.
Affected versions of this Gem are vulnerable to Arbitrary File Existence Exposure. Specially crafted requests can be used to determine whether a file exists on the file system, outside of the Rails application's root directory. The files will not be served, but attackers can determine whether or not the file exists.