Homepage
About Snyk

Arbitrary File Existence Exposure Affecting actionpack package, versions >=4.2.0.beta1, <4.2.0.beta3 >=4.1.0, <4.1.7 >=3.3.0, <4.0.11 >=3.0.0, <3.2.20

0.0
medium

Snyk CVSS

    Attack Complexity Low
    User Interaction Required

    Threat Intelligence

    EPSS 0.46% (75th percentile)
Expand this section
NVD
4.3 medium
Expand this section
Red Hat
5.3 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-ACTIONPACK-20198
  • published 29 Oct 2014
  • disclosed 29 Oct 2014
  • credit Eaden McKee, Dennis Hackethal, Christian Hansen, Juan C. Müller, Mike McClurg, Alex Ianus
Report a new vulnerability Found a mistake?

Introduced: 29 Oct 2014

CVE-2014-7818 Open this link in a new tab
CWE-200 Open this link in a new tab

How to fix?

Upgrade actionpack to versions 3.0.0, 3.2.20, 4.0.11, 4.1.7, 4.2.0.beta3 or higher.

Overview

actionpack is a web app builder and tester on Rails.

Affected versions of this Gem are vulnerable to Arbitrary File Existence Exposure. Specially crafted requests can be used to determine whether a file exists on the file system, outside of the Rails application's root directory. The files will not be served, but attackers can determine whether or not the file exists.