CVE-2014-7829: Arbitrary file existence disclosure

November 18, 2014 (updated August 8, 2019)

Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application’s root directory. The files will not be served, but attackers can determine whether the file exists. This only impacts Rails applications that enable static file serving at runtime. For example, the application’s production configuration will say: config.serve_static_assets = true

References

weblog.rubyonrails.org/2014/11/19/Rails-4-0-11-1-and-4-1-7-1-have-been-released/
groups.google.com/forum/

Code Behaviors & Features

Detect and mitigate CVE-2014-7829 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →