Arbitrary file existence disclosure in Action Pack There is an information leak vulnerability in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2014-7829. Versions Affected: >= 3.0.0 Not affected: < 3.0.0, 4.2.0.beta4 Fixed Versions: 3.2.21, 4.0.12, 4.1.8 Impact ------ Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application's root directory. The files will not be served, but attackers can determine whether or not the file exists. This vulnerability is very similar to CVE-2014-7818, but the specially crafted string is slightly different. This only impacts Rails applications that enable static file serving at runtime. For example, the application's production configuration will say: config.serve_static_assets = true All users running an affected configuration should either upgrade or use one of the work arounds immediately.
Rails version 3.2.21, 4.0.12, and 4.1.8 are now in the tree.
(In reply to Hans de Graaff from comment #1) > Rails version 3.2.21, 4.0.12, and 4.1.8 are now in the tree. Thanks, Hans. Can you please drop the vulnerable versions and then we can call this bug resolved?
Vulnerable versions have now been removed.
CVE-2014-7829 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7829): Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a \ (backslash) character, a similar issue to CVE-2014-7818. CVE-2014-7818 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7818): Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence.