CVE-2014-7818 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Vector
NIST	NIST	4.3 UNKNOWN	NETWORK	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N
redhat	CNA	---			---
CVE	ADP	---			---

Base Score

CVSS 3.x

EPSS Score

Percentile: 66%

Vendor	Product	Version
rubyonrails	rails	3.0.0
rubyonrails	rails	3.0.0:beta
rubyonrails	rails	3.0.0:beta2
rubyonrails	rails	3.0.0:beta3
rubyonrails	rails	3.0.0:beta4
rubyonrails	rails	3.0.0:rc
rubyonrails	rails	3.0.0:rc2
rubyonrails	rails	3.0.1
rubyonrails	rails	3.0.1:pre
rubyonrails	rails	3.0.2
rubyonrails	rails	3.0.2:pre
rubyonrails	rails	3.0.3
rubyonrails	rails	3.0.4:rc1
rubyonrails	rails	3.0.5
rubyonrails	rails	3.0.5:rc1
rubyonrails	rails	3.0.6
rubyonrails	rails	3.0.6:rc1
rubyonrails	rails	3.0.6:rc2
rubyonrails	rails	3.0.7
rubyonrails	rails	3.0.7:rc1
rubyonrails	rails	3.0.7:rc2
rubyonrails	rails	3.0.8
rubyonrails	rails	3.0.8:rc1
rubyonrails	rails	3.0.8:rc2
rubyonrails	rails	3.0.8:rc3
rubyonrails	rails	3.0.8:rc4
rubyonrails	rails	3.0.9
rubyonrails	rails	3.0.9:rc1
rubyonrails	rails	3.0.9:rc2
rubyonrails	rails	3.0.9:rc3
rubyonrails	rails	3.0.9:rc4
rubyonrails	rails	3.0.9:rc5
rubyonrails	rails	3.0.10
rubyonrails	rails	3.0.10:rc1
rubyonrails	rails	3.0.11
rubyonrails	rails	3.0.12
rubyonrails	rails	3.0.12:rc1
rubyonrails	rails	3.0.13
rubyonrails	rails	3.0.13:rc1
rubyonrails	rails	3.0.14
rubyonrails	rails	3.0.16
rubyonrails	rails	3.0.17
rubyonrails	rails	3.0.18
rubyonrails	rails	3.0.19
rubyonrails	rails	3.0.20
rubyonrails	rails	3.1.0
rubyonrails	rails	3.1.0:beta1
rubyonrails	rails	3.1.0:rc1
rubyonrails	rails	3.1.0:rc2
rubyonrails	rails	3.1.0:rc3
rubyonrails	rails	3.1.0:rc4
rubyonrails	rails	3.1.0:rc5
rubyonrails	rails	3.1.0:rc6
rubyonrails	rails	3.1.0:rc7
rubyonrails	rails	3.1.0:rc8
rubyonrails	rails	3.1.1
rubyonrails	rails	3.1.1:rc1
rubyonrails	rails	3.1.1:rc2
rubyonrails	rails	3.1.1:rc3
rubyonrails	rails	3.1.2
rubyonrails	rails	3.1.2:rc1
rubyonrails	rails	3.1.2:rc2
rubyonrails	rails	3.1.3
rubyonrails	rails	3.1.4
rubyonrails	rails	3.1.4:rc1
rubyonrails	rails	3.1.5
rubyonrails	rails	3.1.5:rc1
rubyonrails	rails	3.1.6
rubyonrails	rails	3.1.7
rubyonrails	rails	3.1.8
rubyonrails	rails	3.1.9
rubyonrails	rails	3.1.10
rubyonrails	rails	3.2.0
rubyonrails	rails	3.2.0:rc1
rubyonrails	rails	3.2.0:rc2
rubyonrails	rails	3.2.1
rubyonrails	rails	3.2.2
rubyonrails	rails	3.2.2:rc1
rubyonrails	rails	3.2.3
rubyonrails	rails	3.2.3:rc1
rubyonrails	rails	3.2.3:rc2
rubyonrails	rails	3.2.4
rubyonrails	rails	3.2.4:rc1
rubyonrails	rails	3.2.5
rubyonrails	rails	3.2.6
rubyonrails	rails	3.2.7
rubyonrails	rails	3.2.8
rubyonrails	rails	3.2.10
rubyonrails	rails	3.2.11
rubyonrails	rails	3.2.12
rubyonrails	rails	3.2.13:rc1
rubyonrails	rails	3.2.13:rc2
rubyonrails	rails	3.2.15:rc3
rubyonrails	rails	3.2.16
rubyonrails	rails	3.2.17
rubyonrails	rails	3.2.18
rubyonrails	rails	4.0.0
rubyonrails	rails	4.0.0:beta
rubyonrails	rails	4.0.0:rc1
rubyonrails	rails	4.0.0:rc2
rubyonrails	rails	4.0.1
rubyonrails	rails	4.0.1:rc1
rubyonrails	rails	4.0.1:rc2
rubyonrails	rails	4.0.1:rc3
rubyonrails	rails	4.0.1:rc4
rubyonrails	rails	4.0.2
rubyonrails	rails	4.0.3
rubyonrails	rails	4.0.4
rubyonrails	rails	4.0.5
rubyonrails	rails	4.0.6
rubyonrails	rails	4.0.6:rc1
rubyonrails	rails	4.0.6:rc2
rubyonrails	rails	4.0.6:rc3
rubyonrails	rails	4.0.7
rubyonrails	rails	4.0.8
rubyonrails	rails	4.0.9
rubyonrails	rails	4.0.10
rubyonrails	rails	4.0.10:rc1
rubyonrails	rails	4.1.0
rubyonrails	rails	4.1.0:beta1
rubyonrails	rails	4.1.1
rubyonrails	rails	4.1.2
rubyonrails	rails	4.1.2:rc1
rubyonrails	rails	4.1.2:rc2
rubyonrails	rails	4.1.2:rc3
rubyonrails	rails	4.1.3
rubyonrails	rails	4.1.4
rubyonrails	rails	4.1.5
rubyonrails	rails	4.1.6
rubyonrails	rails	4.1.6:rc1
rubyonrails	rails	4.2.0:beta1
rubyonrails	rails	4.2.0:beta2
rubyonrails	ruby_on_rails	3.0.4
rubyonrails	ruby_on_rails	3.2.19
opensuse	opensuse	12.3
opensuse	opensuse	13.1
opensuse	opensuse	13.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

rails

bullseye	2:6.0.3.7+dfsg-2+deb11u2 fixed
bullseye (security)	2:6.0.3.7+dfsg-2+deb11u2 fixed
wheezy	no-dsa
squeeze	not-affected
bookworm	2:6.1.7.3+dfsg-2~deb12u1 fixed
sid	2:6.1.7.3+dfsg-4 fixed
trixie	2:6.1.7.3+dfsg-4 fixed

Ubuntu Releases

Ubuntu Product

Codename

rails

disco	not-affected
cosmic	not-affected
bionic	not-affected
artful	not-affected
zesty	not-affected
yakkety	not-affected
xenial	not-affected
wily	not-affected
vivid	not-affected
utopic	not-affected
trusty	dne
precise	not-affected
lucid	ignored

rails-3.2

disco	dne
cosmic	dne
bionic	dne
artful	dne
zesty	dne
yakkety	dne
xenial	dne
wily	dne
vivid	dne
utopic	ignored
trusty	dne
precise	dne
lucid	dne

rails-4.0

disco	dne
cosmic	dne
bionic	dne
artful	dne
zesty	dne
yakkety	dne
xenial	dne
wily	dne
vivid	dne
utopic	ignored
trusty	dne
precise	dne
lucid	dne

ruby-actionpack-2.3

disco	dne
cosmic	dne
bionic	dne
artful	dne
zesty	dne
yakkety	dne
xenial	dne
wily	dne
vivid	dne
utopic	dne
trusty	dne
precise	ignored
lucid	dne

ruby-actionpack-3.2

disco	dne
cosmic	dne
bionic	dne
artful	dne
zesty	dne
yakkety	dne
xenial	dne
wily	dne
vivid	dne
utopic	dne
trusty	dne
precise	dne
lucid	dne

ruby-activerecord-2.3

disco	dne
cosmic	dne
bionic	dne
artful	dne
zesty	dne
yakkety	dne
xenial	dne
wily	dne
vivid	dne
utopic	dne
trusty	dne
precise	ignored
lucid	dne

ruby-activerecord-3.2

disco	dne
cosmic	dne
bionic	dne
artful	dne
zesty	dne
yakkety	dne
xenial	dne
wily	dne
vivid	dne
utopic	dne
trusty	dne
precise	dne
lucid	dne

ruby-activesupport-2.3

disco	dne
cosmic	dne
bionic	dne
artful	dne
zesty	dne
yakkety	dne
xenial	dne
wily	dne
vivid	dne
utopic	dne
trusty	dne
precise	ignored
lucid	dne

ruby-activesupport-3.2

disco	dne
cosmic	dne
bionic	dne
artful	dne
zesty	dne
yakkety	dne
xenial	dne
wily	dne
vivid	dne
utopic	dne
trusty	dne
precise	dne
lucid	dne

ruby-rails-2.3

disco	dne
cosmic	dne
bionic	dne
artful	dne
zesty	dne
yakkety	dne
xenial	dne
wily	dne
vivid	dne
utopic	dne
trusty	dne
precise	ignored
lucid	dne

ruby-rails-3.2

disco	dne
cosmic	dne
bionic	dne
artful	dne
zesty	dne
yakkety	dne
xenial	dne
wily	dne
vivid	dne
utopic	dne
trusty	dne
precise	dne
lucid	dne

Common Weakness Enumeration

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References

http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html

https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ

https://puppet.com/security/cve/cve-2014-7829

http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html

https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ

https://puppet.com/security/cve/cve-2014-7829