CVE-2014-0130
CVE-2014-0130
In short
A vulnerability in Ruby on Rails allows attackers to read files they shouldn't access by using specially crafted requests when certain routing settings are enabled. This happens because the application doesn't properly validate file paths.
Technical detail
Directory traversal vulnerability in Rails' implicit-render mechanism affects versions before 3.2.18, 4.0.5, and 4.1.1 when route globbing is configured. Remote attackers can exploit path traversal sequences in crafted requests to bypass path validation and read arbitrary files from the server filesystem.
Summary generated and translated by AI from the official description.
Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
n/a · n/apublic PoCs found — 1
githubgithub.com/omarkurt/cve-2014-0130★ 18⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdfhttp://rhn.redhat.com/errata/RHSA-2014-1863.htmlhttps://groups.google.com/forum/message/raw?msg=rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-0130http://www.securityfocus.com/bid/67244