CVE-2014-7819
Sprockets Path Traversal via Double Slash or URL-Encoded Dot-Dot-Slash Sequences
Title source: llmDescription
Multiple directory traversal vulnerabilities in server.rb in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding.
References (6)
Core 6
Core References
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2014-11/msg00105.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2014-11/msg00111.html
Third Party Advisory mailing-list
x_refsource_mlist
https://groups.google.com/forum/message/raw?msg=rubyonrails-security/doAVp0YaTqY/aHFngBqNBoAJ
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2014-11/msg00103.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2014-11/msg00110.html
Third Party Advisory mailing-list
x_refsource_mlist
https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wQBeGXqGs3E/JqUMB6fhh3gJ
Scores
EPSS
0.0075
EPSS Percentile
73.3%
Details
CWE
CWE-22
Status
published
Products (4)
rubygems/sprockets
0 - 2.0.5RubyGems
sprockets_project/sprockets
2.6.0
sprockets_project/sprockets
3.0.0 beta1 (2 CPE variants)
sprockets_project/sprockets
2.0.0 - 2.0.5
Published
Nov 08, 2014
Tracked Since
Feb 18, 2026