Multiple directory traversal vulnerabilities in server.rb in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding.
| Score | Percentile |
|---|---|
| 0.75% | 72.64% |
No CVSS scores in this advisory.
| Type | Value |
|---|---|
| GHSA | GHSA-33pp-3763-mrfp ↗ |
| CVE | CVE-2014-7819 ↗ |
| CWE id | Name |
|---|---|
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| rubygems | sprockets | < 2.0.5 | 2.0.5 | — |
| rubygems | sprockets | >= 2.1.0, < 2.1.4 | 2.1.4 | — |
| rubygems | sprockets | >= 2.2.0, < 2.2.3 | 2.2.3 | — |
| rubygems | sprockets | >= 2.3.0, < 2.3.3 | 2.3.3 | — |
| rubygems | sprockets | >= 2.4.0, < 2.4.6 | 2.4.6 | — |
| rubygems | sprockets | >= 2.5.0, < 2.5.1 | 2.5.1 | — |
| rubygems | sprockets | >= 2.6.0, < 2.7.1 | 2.7.1 | — |
| rubygems | sprockets | >= 2.8.0, < 2.8.3 | 2.8.3 | — |
| rubygems | sprockets | >= 2.9.0, < 2.9.4 | 2.9.4 | — |
| rubygems | sprockets | >= 2.10.0, < 2.10.2 | 2.10.2 | — |
| rubygems | sprockets | >= 2.11.0, < 2.11.3 | 2.11.3 | — |
| rubygems | sprockets | >= 2.12.0, < 2.12.3 | 2.12.3 | — |