Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTMzcHAtMzc2My1tcmZw
sprockets vulnerable to Path Traversal
Multiple directory traversal vulnerabilities in server.rb in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTMzcHAtMzc2My1tcmZw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 7 years ago
Updated: almost 2 years ago
EPSS Percentage: 0.00545
EPSS Percentile: 0.77215
Identifiers: GHSA-33pp-3763-mrfp, CVE-2014-7819
References:
- https://nvd.nist.gov/vuln/detail/CVE-2014-7819
- https://groups.google.com/forum/message/raw?msg=rubyonrails-security/doAVp0YaTqY/aHFngBqNBoAJ
- https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wQBeGXqGs3E/JqUMB6fhh3gJ
- http://lists.opensuse.org/opensuse-updates/2014-11/msg00103.html
- http://lists.opensuse.org/opensuse-updates/2014-11/msg00105.html
- http://lists.opensuse.org/opensuse-updates/2014-11/msg00110.html
- http://lists.opensuse.org/opensuse-updates/2014-11/msg00111.html
- https://access.redhat.com/errata/RHBA-2015:1100
- https://access.redhat.com/security/cve/CVE-2014-7819
- https://bugzilla.redhat.com/show_bug.cgi?id=1161527
- https://groups.google.com/forum/#!topic/rubyonrails-security/doAVp0YaTqY
- https://github.com/advisories/GHSA-33pp-3763-mrfp
Affected Packages
rubygems:sprockets
Dependent packages: 666Dependent repositories: 862,908
Downloads: 490,481,370 total
Affected Version Ranges: >= 2.12.0, < 2.12.3, >= 2.11.0, < 2.11.3, >= 2.10.0, < 2.10.2, >= 2.9.0, < 2.9.4, >= 2.8.0, < 2.8.3, >= 2.6.0, < 2.7.1, >= 2.5.0, < 2.5.1, >= 2.4.0, < 2.4.6, >= 2.3.0, < 2.3.3, >= 2.2.0, < 2.2.3, >= 2.1.0, < 2.1.4, < 2.0.5
Fixed in: 2.12.3, 2.11.3, 2.10.2, 2.9.4, 2.8.3, 2.7.1, 2.5.1, 2.4.6, 2.3.3, 2.2.3, 2.1.4, 2.0.5
All affected versions: 0.9.0, 0.9.1, 1.0.0, 1.0.1, 1.0.2, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.5.0, 2.6.0, 2.6.1, 2.7.0, 2.8.0, 2.8.1, 2.8.2, 2.9.0, 2.9.2, 2.9.3, 2.10.0, 2.10.1, 2.11.0, 2.12.0, 2.12.1, 2.12.2
All unaffected versions: 2.0.5, 2.1.4, 2.2.3, 2.3.3, 2.4.6, 2.5.1, 2.7.1, 2.8.3, 2.9.4, 2.10.2, 2.11.3, 2.12.3, 2.12.4, 2.12.5, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.2.0, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.5.2, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.7.5, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.1.0, 4.1.1, 4.2.0, 4.2.1