Overview

CVE-2014-7818 and CVE-2014-7829 (Rails Action Pack vulnerabilities allow arbitrary file existence disclosure)

  • Posted December 16, 2014

  • Assessed Risk Level: Medium

Vulnerabilities in Rails Action Pack allow an attacker to determine the existence of files outside the Rails application root directory. The files will not be served, but attackers can determine whether or not specific files exist.

CVE-2014-7818:

Upstream CVSS v2 Score: 4.3

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:W/RC:C

CVE-2014-7829:

Upstream CVSS v2 Score: 5.0

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Status:

Affected Software Versions:

  • Puppet Enterprise 3.x

Resolved in:

  • Puppet Enterprise 3.7.1