CyberSec.Space Logo
CVEブラウザに戻る

CVE-2014-0130

Known Exploited (CISA KEV)HIGH
7.5
CVSS Severity Score
EPSS Score81.4730%
EPSS Percentile97.72th
Published2014年5月7日
Last Modified2026年4月21日

Vulnerability Description

Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request.

Affected Platforms (CPE)

📦
Redhat

Subscription Asset Manager

<= 1.3.0
💻
Redhat

Enterprise Linux Server

= 6.0
📦
Rubyonrails

Rails

< 3.2.18
📦
Rubyonrails

Rails

>= 4.0.0 and < 4.0.5
📦
Rubyonrails

Rails

>= 4.1.0 and < 4.1.1

References & Advisories

🔗 http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf
🔗 http://rhn.redhat.com/errata/RHSA-2014-1863.html
🔗 http://www.securityfocus.com/bid/67244
🔗 https://groups.google.com/forum/message/raw?msg=rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ
🔗 http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf
🔗 http://rhn.redhat.com/errata/RHSA-2014-1863.html
🔗 http://www.securityfocus.com/bid/67244
🔗 https://groups.google.com/forum/message/raw?msg=rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ

関連する脆弱性情報

CVE-2015-75019.8

Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterp...

CVE-2013-64399.3

Candlepin in Red Hat Subscription Asset Manager 1.0 through 1.3 uses a weak authentication scheme when the configuration file does...

CVE-2014-01836.1

Versions of Katello as shipped with Red Hat Subscription Asset Manager 1.4 are vulnerable to a XSS via HTML in the systems name wh...

CVE-2013-18234.3

Cross-site scripting (XSS) vulnerability in the Notifications form in Red Hat Subscription Asset Manager before 1.2.1 allows remot...