CVE-2014-7818

medium

Published 2014-10-30 · Modified 2024-11-29

CVSS v3

—

CVSS v2

4.3

VIR risk

4.3

Description

Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2014-7818

OS impact

OS	Version	Status	Fixed in
suse	12.3	affected
suse	13.1	affected
suse	13.2	affected
debian	bookworm	fixed	`2:4.1.8-1`
debian	bullseye	fixed	`2:4.1.8-1`
debian	forky	fixed	`2:4.1.8-1`
debian	sid	fixed	`2:4.1.8-1`
debian	trixie	fixed	`2:4.1.8-1`

Package impact

Ecosystem	Package	Vulnerable	Fixed
RubyGems	actionpack	`!< 3.0.0\|\|<~> 3.2.20`	`~> 3.2.20`
RubyGems	actionpack	`>=3.0.0,<3.2.20`	`3.2.20`
RubyGems	actionpack	`>=4.0.0,<4.0.11`	`4.0.11`
RubyGems	actionpack	`>=4.1.0,<4.1.7`	`4.1.7`
RubyGems	actionpack	`>=4.2.0.beta1,<4.2.0.beta3`	`4.2.0.beta3`

Application impact

Vendor	Product	Versions
rubyonrails	rails	`3.0.0`
rubyonrails	rails	`3.0.1`
rubyonrails	rails	`3.0.2`
rubyonrails	rails	`3.0.3`
rubyonrails	rails	`3.0.4`
rubyonrails	rails	`3.0.5`
rubyonrails	rails	`3.0.6`
rubyonrails	rails	`3.0.7`
rubyonrails	rails	`3.0.8`
rubyonrails	rails	`3.0.9`
rubyonrails	rails	`3.0.10`
rubyonrails	rails	`3.0.11`
rubyonrails	rails	`3.0.12`
rubyonrails	rails	`3.0.13`
rubyonrails	rails	`3.0.14`
rubyonrails	rails	`3.0.16`
rubyonrails	rails	`3.0.17`
rubyonrails	rails	`3.0.18`
rubyonrails	rails	`3.0.19`
rubyonrails	rails	`3.0.20`
rubyonrails	rails	`3.1.0`
rubyonrails	rails	`3.1.1`
rubyonrails	rails	`3.1.2`
rubyonrails	rails	`3.1.3`
rubyonrails	rails	`3.1.4`
rubyonrails	rails	`3.1.5`
rubyonrails	rails	`3.1.6`
rubyonrails	rails	`3.1.7`
rubyonrails	rails	`3.1.8`
rubyonrails	rails	`3.1.9`
rubyonrails	rails	`3.1.10`
rubyonrails	rails	`3.2.0`
rubyonrails	rails	`3.2.1`
rubyonrails	rails	`3.2.2`
rubyonrails	rails	`3.2.3`
rubyonrails	rails	`3.2.4`
rubyonrails	rails	`3.2.5`
rubyonrails	rails	`3.2.6`
rubyonrails	rails	`3.2.7`
rubyonrails	rails	`3.2.8`
rubyonrails	rails	`3.2.10`
rubyonrails	rails	`3.2.11`
rubyonrails	rails	`3.2.12`
rubyonrails	rails	`3.2.13`
rubyonrails	rails	`3.2.15`
rubyonrails	rails	`3.2.16`
rubyonrails	rails	`3.2.17`
rubyonrails	rails	`3.2.18`
rubyonrails	rails	`4.0.0`
rubyonrails	rails	`4.0.1`
rubyonrails	rails	`4.0.2`
rubyonrails	rails	`4.0.3`
rubyonrails	rails	`4.0.4`
rubyonrails	rails	`4.0.5`
rubyonrails	rails	`4.0.6`
rubyonrails	rails	`4.0.7`
rubyonrails	rails	`4.0.8`
rubyonrails	rails	`4.0.9`
rubyonrails	rails	`4.0.10`
rubyonrails	rails	`4.1.0`
rubyonrails	rails	`4.1.1`
rubyonrails	rails	`4.1.2`
rubyonrails	rails	`4.1.3`
rubyonrails	rails	`4.1.4`
rubyonrails	rails	`4.1.5`
rubyonrails	rails	`4.1.6`
rubyonrails	rails	`4.2.0`
rubyonrails	ruby_on_rails	`3.0.4`
rubyonrails	ruby_on_rails	`3.2.19`

References

CWEs

CWE-22

Verify integrity in audit chain (admin only). AS-IS.