Rails version with file disclosure vulnerability detected RB-A1003

Selected versions of Rails 2, 3 & 4 are vulnerable to file disclosures. Upgrading to newer versions of Rails or disabling serving of static assets, if enabled, can help fix this issue.

In vulnerable Rails versions, when serve_static_assets is enabled, remote attackers can determine the existence of files outside the application root via vectors involving a backslash character.

References

1. CVE-2014-7829 - Rails Security Group
2. CVE-2014-7829 - GitHub Advisory Database
3. OWASP Top 10 - A5 - Broken Access Control
4. OWASP Top 10 - A9 - Using Components With Known Vulnerabilities