{"id":"GHSA-33pp-3763-mrfp","summary":"sprockets vulnerable to Path Traversal","details":"Multiple directory traversal vulnerabilities in `server.rb` in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding.","aliases":["CVE-2014-7819"],"modified":"2024-11-28T05:44:08.069334Z","published":"2017-10-24T18:33:36Z","database_specific":{"github_reviewed_at":"2020-06-16T20:53:55Z","severity":"MODERATE","cwe_ids":["CWE-22"],"github_reviewed":true,"nvd_published_at":"2014-11-08T11:55:00Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2014-7819"},{"type":"WEB","url":"https://access.redhat.com/errata/RHBA-2015:1100"},{"type":"WEB","url":"https://access.redhat.com/security/cve/CVE-2014-7819"},{"type":"WEB","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1161527"},{"type":"WEB","url":"https://groups.google.com/forum/#!topic/rubyonrails-security/doAVp0YaTqY"},{"type":"WEB","url":"https://groups.google.com/forum/message/raw?msg=rubyonrails-security/doAVp0YaTqY/aHFngBqNBoAJ"},{"type":"WEB","url":"https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wQBeGXqGs3E/JqUMB6fhh3gJ"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-updates/2014-11/msg00103.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-updates/2014-11/msg00105.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-updates/2014-11/msg00110.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-updates/2014-11/msg00111.html"}],"affected":[{"package":{"name":"sprockets","ecosystem":"RubyGems","purl":"pkg:gem/sprockets"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.0.5"}]}],"versions":["0.9.0","0.9.1","1.0.0","1.0.1","1.0.2","2.0.0","2.0.1","2.0.2","2.0.3","2.0.4"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-33pp-3763-mrfp/GHSA-33pp-3763-mrfp.json"}},{"package":{"name":"sprockets","ecosystem":"RubyGems","purl":"pkg:gem/sprockets"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.1.0"},{"fixed":"2.1.4"}]}],"versions":["2.1.0","2.1.1","2.1.2","2.1.3"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-33pp-3763-mrfp/GHSA-33pp-3763-mrfp.json"}},{"package":{"name":"sprockets","ecosystem":"RubyGems","purl":"pkg:gem/sprockets"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.2.0"},{"fixed":"2.2.3"}]}],"versions":["2.2.0","2.2.1","2.2.2"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-33pp-3763-mrfp/GHSA-33pp-3763-mrfp.json"}},{"package":{"name":"sprockets","ecosystem":"RubyGems","purl":"pkg:gem/sprockets"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.3.0"},{"fixed":"2.3.3"}]}],"versions":["2.3.0","2.3.1","2.3.2"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-33pp-3763-mrfp/GHSA-33pp-3763-mrfp.json"}},{"package":{"name":"sprockets","ecosystem":"RubyGems","purl":"pkg:gem/sprockets"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.4.0"},{"fixed":"2.4.6"}]}],"versions":["2.4.0","2.4.1","2.4.2","2.4.3","2.4.4","2.4.5"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-33pp-3763-mrfp/GHSA-33pp-3763-mrfp.json"}},{"package":{"name":"sprockets","ecosystem":"RubyGems","purl":"pkg:gem/sprockets"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.5.0"},{"fixed":"2.5.1"}]}],"versions":["2.5.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-33pp-3763-mrfp/GHSA-33pp-3763-mrfp.json"}},{"package":{"name":"sprockets","ecosystem":"RubyGems","purl":"pkg:gem/sprockets"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.0"},{"fixed":"2.7.1"}]}],"versions":["2.6.0","2.6.1","2.7.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-33pp-3763-mrfp/GHSA-33pp-3763-mrfp.json"}},{"package":{"name":"sprockets","ecosystem":"RubyGems","purl":"pkg:gem/sprockets"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.8.0"},{"fixed":"2.8.3"}]}],"versions":["2.8.0","2.8.1","2.8.2"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-33pp-3763-mrfp/GHSA-33pp-3763-mrfp.json"}},{"package":{"name":"sprockets","ecosystem":"RubyGems","purl":"pkg:gem/sprockets"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.9.0"},{"fixed":"2.9.4"}]}],"versions":["2.9.0","2.9.2","2.9.3"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-33pp-3763-mrfp/GHSA-33pp-3763-mrfp.json"}},{"package":{"name":"sprockets","ecosystem":"RubyGems","purl":"pkg:gem/sprockets"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.10.0"},{"fixed":"2.10.2"}]}],"versions":["2.10.0","2.10.1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-33pp-3763-mrfp/GHSA-33pp-3763-mrfp.json"}},{"package":{"name":"sprockets","ecosystem":"RubyGems","purl":"pkg:gem/sprockets"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.11.0"},{"fixed":"2.11.3"}]}],"versions":["2.11.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-33pp-3763-mrfp/GHSA-33pp-3763-mrfp.json"}},{"package":{"name":"sprockets","ecosystem":"RubyGems","purl":"pkg:gem/sprockets"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.12.0"},{"fixed":"2.12.3"}]}],"versions":["2.12.0","2.12.1","2.12.2"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-33pp-3763-mrfp/GHSA-33pp-3763-mrfp.json"}}],"schema_version":"1.7.3"}