CVE-2014-7818: Arbitrary file existence disclosure

November 8, 2014 (updated August 8, 2019)

Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application’s root directory. The files will not be served, but attackers can determine whether the file exists. This only impacts Rails applications that enable static file serving at runtime. For example, the application’s production configuration will say: config.serve_static_assets = true

References

groups.google.com/forum/

Detect and mitigate CVE-2014-7818 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →