CVE-2014-7818: Arbitrary file existence disclosure
(updated )
Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application’s root directory. The files will not be served, but attackers can determine whether the file exists. This only impacts Rails applications that enable static file serving at runtime. For example, the application’s production configuration will say: config.serve_static_assets = true
References
Detect and mitigate CVE-2014-7818 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →