CVE-2014-7829
rails Severe
File Access
Discovered over 5 years ago
Published almost 6 years ago
Category: File Access
Source: NIST NVD
Severity: Severe

Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application’s root directory. The files will not be served, but attackers can determine whether or not the file exists. This vulnerability is very similar to CVE-2014-7818, but the specially crafted string is slightly different.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None Partial None None
Patched Versions

~> 3.2.21 ~> 4.0.11.1 ~> 4.0.12 ~> 4.1.7.1 >= 4.1.8

Unaffected Versions

< 3.0.0

CVE-2014-7818
rails Moderate
File Access
Discovered over 5 years ago
Published almost 6 years ago
Category: File Access
Source: NIST NVD
Severity: Moderate

Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application’s root directory. The files will not be served, but attackers can determine whether or not the file exists.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None Partial None None
Patched Versions

~> 3.2.20 ~> 4.0.11 ~> 4.1.7 >= 4.2.0.beta3

Unaffected Versions

< 3.0.0

CVE-2014-0130
rails Moderate
Attribute Restriction
Discovered over 5 years ago
Published over 6 years ago
Category: Attribute Restriction
Source: NIST NVD
Severity: Moderate

There is a vulnerability in the ‘implicit render’ functionality in Ruby on Rails.The implicit render functionality allows controllers to render a template, even if there is no explicit action with the corresponding name. This module does not perform adequate input sanitization which could allow an attacker to use a specially crafted request to retrieve arbitrary files from the rails application server.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None Partial None None
Patched Versions

~> 3.2.18 ~> 4.0.5 >= 4.1.1

Unaffected Versions

n/a