HIGH🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2014-0130

CVSS 7.5v3.1pub. 2014-05-07upd. 2026-04-21

Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Red Hat Enterprise Linux Server

    OS
    Redhat
    6.0
  • Red Hat Subscription Asset Manager

    APP
    Redhat
    ≤ 1.3.0
  • Rubyonrails Rails

    APP
    Rubyonrails
    < 3.2.184.0.0 – 4.0.5 (bez)4.1.0 – 4.1.1 (bez)

CISA KEV — detailsi

Vendori
Rails
Producti
Ruby on Rails
Added to KEVi
March 25, 2022
Remediation deadline (US Federal)i
April 15, 2022(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails allows remote attackers to read arbitrary files via a crafted request.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 15 kwietnia 2022
Tags
Path Traversal
CWE
References

Related vulnerabilities

CVE-2021-40438CRITICAL9.0⚠ KEVten sam produkt

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remot...

CVE-2019-5544CRITICAL9.8⚠ KEVten sam produkt

OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware has evaluated the s...

CVE-2016-4171CRITICAL9.8⚠ KEVten sam produkt

Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier allows remote attackers to execute arbi...

CVE-2016-4117CRITICAL9.8⚠ KEVten sam produkt

Adobe Flash Player 21.0.0.226 and earlier allows remote attackers to execute arbitrary code via unspecified ve...

CVE-2016-3427CRITICAL9.8⚠ KEVten sam produkt

Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 ...