// For flags

CVE-2014-0130

Ruby on Rails Directory Traversal Vulnerability

Severity Score

4.3
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

Yes
*KEV

Decision

-
*SSVC
Descriptions

Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request.

Vulnerabilidad de salto de directorio en actionpack/lib/abstract_controller/base.rb en la implementación implicit-render en Ruby on Rails anterior a 3.2.18, 4.0.x anterior a 4.0.5 y 4.1.x anterior a 4.1.1, cuando ciertas configuraciones de coincidencia de patrones en rutas basadas en caracteres comodín (globbing) están habilitadas, permite a atacantes remotos leer archivos arbitrarios a través de una solicitud manipulada.

A directory traversal flaw was found in the way Ruby on Rails handled wildcard segments in routes with implicit rendering. A remote attacker could use this flaw to retrieve arbitrary local files accessible to a Ruby on Rails application using the aforementioned routes via a specially crafted request.

Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails allows remote attackers to read arbitrary files via a crafted request.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2013-12-03 CVE Reserved
  • 2014-05-07 CVE Published
  • 2022-03-25 Exploited in Wild
  • 2022-04-15 KEV Due Date
  • 2024-07-17 EPSS Updated
  • 2024-08-06 CVE Updated
  • ---------- First Exploit
CWE
  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Redhat
Search vendor "Redhat"
Subscription Asset Manager
Search vendor "Redhat" for product "Subscription Asset Manager"
<= 1.3.0
Search vendor "Redhat" for product "Subscription Asset Manager" and version " <= 1.3.0"
-
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
3.2.0
Search vendor "Rubyonrails" for product "Rails" and version "3.2.0"
-
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
3.2.0
Search vendor "Rubyonrails" for product "Rails" and version "3.2.0"
rc1
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
3.2.0
Search vendor "Rubyonrails" for product "Rails" and version "3.2.0"
rc2
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
3.2.1
Search vendor "Rubyonrails" for product "Rails" and version "3.2.1"
-
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
3.2.2
Search vendor "Rubyonrails" for product "Rails" and version "3.2.2"
-
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
3.2.2
Search vendor "Rubyonrails" for product "Rails" and version "3.2.2"
rc1
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
3.2.3
Search vendor "Rubyonrails" for product "Rails" and version "3.2.3"
-
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
3.2.3
Search vendor "Rubyonrails" for product "Rails" and version "3.2.3"
rc1
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
3.2.3
Search vendor "Rubyonrails" for product "Rails" and version "3.2.3"
rc2
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
3.2.4
Search vendor "Rubyonrails" for product "Rails" and version "3.2.4"
-
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
3.2.4
Search vendor "Rubyonrails" for product "Rails" and version "3.2.4"
rc1
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
3.2.5
Search vendor "Rubyonrails" for product "Rails" and version "3.2.5"
-
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
3.2.6
Search vendor "Rubyonrails" for product "Rails" and version "3.2.6"
-
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
3.2.7
Search vendor "Rubyonrails" for product "Rails" and version "3.2.7"
-
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
3.2.8
Search vendor "Rubyonrails" for product "Rails" and version "3.2.8"
-
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
3.2.9
Search vendor "Rubyonrails" for product "Rails" and version "3.2.9"
-
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
3.2.10
Search vendor "Rubyonrails" for product "Rails" and version "3.2.10"
-
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
3.2.11
Search vendor "Rubyonrails" for product "Rails" and version "3.2.11"
-
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
3.2.12
Search vendor "Rubyonrails" for product "Rails" and version "3.2.12"
-
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
3.2.13
Search vendor "Rubyonrails" for product "Rails" and version "3.2.13"
rc1
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
3.2.13
Search vendor "Rubyonrails" for product "Rails" and version "3.2.13"
rc2
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
3.2.15
Search vendor "Rubyonrails" for product "Rails" and version "3.2.15"
rc3
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
3.2.16
Search vendor "Rubyonrails" for product "Rails" and version "3.2.16"
-
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
4.0.0
Search vendor "Rubyonrails" for product "Rails" and version "4.0.0"
-
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
4.0.0
Search vendor "Rubyonrails" for product "Rails" and version "4.0.0"
beta
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
4.0.0
Search vendor "Rubyonrails" for product "Rails" and version "4.0.0"
rc1
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
4.0.0
Search vendor "Rubyonrails" for product "Rails" and version "4.0.0"
rc2
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
4.0.1
Search vendor "Rubyonrails" for product "Rails" and version "4.0.1"
-
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
4.0.1
Search vendor "Rubyonrails" for product "Rails" and version "4.0.1"
rc1
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
4.0.1
Search vendor "Rubyonrails" for product "Rails" and version "4.0.1"
rc2
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
4.0.1
Search vendor "Rubyonrails" for product "Rails" and version "4.0.1"
rc3
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
4.0.1
Search vendor "Rubyonrails" for product "Rails" and version "4.0.1"
rc4
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
4.0.2
Search vendor "Rubyonrails" for product "Rails" and version "4.0.2"
-
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
4.0.3
Search vendor "Rubyonrails" for product "Rails" and version "4.0.3"
-
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
4.0.4
Search vendor "Rubyonrails" for product "Rails" and version "4.0.4"
-
Affected
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
4.1.0
Search vendor "Rubyonrails" for product "Rails" and version "4.1.0"
-
Safe
Rubyonrails
Search vendor "Rubyonrails"
Rails
Search vendor "Rubyonrails" for product "Rails"
4.1.0
Search vendor "Rubyonrails" for product "Rails" and version "4.1.0"
beta1
Affected
Rubyonrails
Search vendor "Rubyonrails"
Ruby On Rails
Search vendor "Rubyonrails" for product "Ruby On Rails"
<= 3.2.17
Search vendor "Rubyonrails" for product "Ruby On Rails" and version " <= 3.2.17"
-
Affected