CVE-2014-7829
Published:November 18, 2014
Updated:May 23, 2026
Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a \ (backslash) character, a similar issue to CVE-2014-7818.
Affected Packages
actionpack (RUBY):
Affected version(s) >=4.2.0.beta1 <4.2.0.beta4Fix Suggestion:
Update to version 4.2.0.beta4actionpack (RUBY):
Affected version(s) >=4.1.0 <4.1.8Fix Suggestion:
Update to version 4.1.8actionpack (RUBY):
Affected version(s) >=3.0.0 <3.2.21Fix Suggestion:
Update to version 3.2.21actionpack (RUBY):
Affected version(s) >=4.0.0 <4.0.12Fix Suggestion:
Update to version 4.0.12Related Resources (10)
Do you need more information?
Contact UsCVSS v3
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE
CVSS v2
Base Score:
5
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
Weakness Type (CWE)
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
EPSS
Base Score:
0.27