SB2014120852 - Path traversal in ruby-redmine-actionmailer (Alpine package)
Published: December 8, 2014
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Path traversal (CVE-ID: CVE-2014-7819)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Multiple directory traversal vulnerabilities in server.rb in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=dad2215438e3ff0d93efdc6b8a7c4f03bd9a4292
- https://git.alpinelinux.org/aports/commit/?id=6c9332933b4506fd7325c6066adabc32d2a6fac0
- https://git.alpinelinux.org/aports/commit/?id=e9cf2371bef95401aee294e176db38d939df2b13
- https://git.alpinelinux.org/aports/commit/?id=0d683347f6dbd7b6c31cc7800d8be4203045431e