Ruby

Ruby

By DeepSource

Rails version with file disclosure vulnerability detected RB-A1003

Security

Selected versions of Rails 2, 3 & 4 are vulnerable to file disclosures. Upgrading to newer versions of Rails or disabling serving of static assets, if enabled, can help fix this issue.

In vulnerable Rails versions, when serve_static_assets is enabled, remote attackers can determine the existence of files outside the application root via vectors involving a backslash character.

References

  1. CVE-2014-7829 - Rails Security Group
  2. CVE-2014-7829 - GitHub Advisory Database
  3. OWASP Top 10 - A5 - Broken Access Control
  4. OWASP Top 10 - A9 - Using Components With Known Vulnerabilities