Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTMzcHAtMzc2My1tcmZw
sprockets vulnerable to Path Traversal
Multiple directory traversal vulnerabilities in server.rb
in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTMzcHAtMzc2My1tcmZw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 6 years ago
Updated: about 1 year ago
Identifiers: GHSA-33pp-3763-mrfp, CVE-2014-7819
References:
- https://nvd.nist.gov/vuln/detail/CVE-2014-7819
- https://groups.google.com/forum/message/raw?msg=rubyonrails-security/doAVp0YaTqY/aHFngBqNBoAJ
- https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wQBeGXqGs3E/JqUMB6fhh3gJ
- http://lists.opensuse.org/opensuse-updates/2014-11/msg00103.html
- http://lists.opensuse.org/opensuse-updates/2014-11/msg00105.html
- http://lists.opensuse.org/opensuse-updates/2014-11/msg00110.html
- http://lists.opensuse.org/opensuse-updates/2014-11/msg00111.html
- https://access.redhat.com/errata/RHBA-2015:1100
- https://access.redhat.com/security/cve/CVE-2014-7819
- https://bugzilla.redhat.com/show_bug.cgi?id=1161527
- https://groups.google.com/forum/#!topic/rubyonrails-security/doAVp0YaTqY
- https://github.com/advisories/GHSA-33pp-3763-mrfp
Affected Packages
rubygems:sprockets
Dependent packages: 663Dependent repositories: 862,908
Downloads: 443,939,313 total
Affected Version Ranges: >= 2.12.0, < 2.12.3, >= 2.11.0, < 2.11.3, >= 2.10.0, < 2.10.2, >= 2.9.0, < 2.9.4, >= 2.8.0, < 2.8.3, >= 2.6.0, < 2.7.1, >= 2.5.0, < 2.5.1, >= 2.4.0, < 2.4.6, >= 2.3.0, < 2.3.3, >= 2.2.0, < 2.2.3, >= 2.1.0, < 2.1.4, < 2.0.5
Fixed in: 2.12.3, 2.11.3, 2.10.2, 2.9.4, 2.8.3, 2.7.1, 2.5.1, 2.4.6, 2.3.3, 2.2.3, 2.1.4, 2.0.5
All affected versions: 0.9.0, 0.9.1, 1.0.0, 1.0.1, 1.0.2, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.5.0, 2.6.0, 2.6.1, 2.7.0, 2.8.0, 2.8.1, 2.8.2, 2.9.0, 2.9.2, 2.9.3, 2.10.0, 2.10.1, 2.11.0, 2.12.0, 2.12.1, 2.12.2
All unaffected versions: 2.0.5, 2.1.4, 2.2.3, 2.3.3, 2.4.6, 2.5.1, 2.7.1, 2.8.3, 2.9.4, 2.10.2, 2.11.3, 2.12.3, 2.12.4, 2.12.5, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.2.0, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.5.2, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.1.0, 4.1.1, 4.2.0, 4.2.1