CVE-2014-7819: Arbitrary file existence disclosure

November 8, 2014 (updated December 18, 2018)

Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside an application’s root directory. The files will not be served, but attackers can determine whether the file exists.

References

groups.google.com/forum/

Detect and mitigate CVE-2014-7819 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions starting from 3.0.0a before 3.0.0.beta.3, all versions starting from 2.12.0a before 2.12.3, all versions starting from 2.11.0a before 2.11.3, all versions starting from 2.10.0a before 2.10.2, all versions starting from 2.9.0a before 2.9.4, all versions starting from 2.8.0a before 2.8.3, all versions starting from 2.7.0a before 2.7.1, all versions starting from 2.5.0a before 2.5.1, all versions starting from 2.4.0a before 2.4.6, all versions starting from 2.3.0a before 2.3.3, all versions starting from 2.2.0a before 2.2.3, all versions starting from 2.1.0a before 2.1.4, all versions starting from 2.0.0 before 2.0.5

Fixed versions

2.0.5
2.1.4
2.10.2
2.11.3
2.12.3
2.2.3
2.3.3
2.4.6
2.5.1
2.7.1
2.8.3
2.9.4
3.0.0.beta.3

Solution

Upgrade to latest or use workaround. In Rails applications, work around this issue, set config.serve_static_assets = false in an initializer. This work around will not be possible in all hosting environments and upgrading is advised.

Impact 5 MEDIUM

AV:N/AC:L/Au:N/C:P/I:N/A:N

Learn more about CVSS

Weakness

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Source file

gem/sprockets/CVE-2014-7819.yml

Spotted a mistake? Edit the file on GitLab.