Cyber Resilience

CVE-2014-0130

HighCISA KEVActive ExploitationEUVD Exploited

Published: 07 May 2014

Published
07 May 2014
Modified
21 April 2026
KEV Added
25 March 2022
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.5271 98.0th percentile
Risk Priority 67 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2014-0130 is a high-severity Path Traversal (CWE-22) vulnerability in Rubyonrails Rails. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is a directory traversal flaw (CWE-22) in the implicit-render implementation within actionpack/lib/abstract_controller/base.rb of Ruby on Rails. It affects versions prior to 3.2.18, 4.0.x prior to 4.0.5, and 4.1.x prior to 4.1.1 when specific route globbing configurations are enabled, and carries a CVSS 3.1 score of 7.5 with high impact on confidentiality.

Remote attackers unauthenticated over the network can exploit the issue by submitting a crafted request that traverses directories, enabling them to read arbitrary files on the affected system.

Official advisories including the Ruby on Rails security announcement and Red Hat RHSA-2014-1863 recommend upgrading to the fixed releases 3.2.18, 4.0.5, or 4.1.1; the accompanying Matasano analysis provides additional technical detail on the route-globbing trigger and exploitation path.

EU & UK References

Vulnerability details

Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request.

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

redhat
subscription asset manager
≤ 1.3.0
redhat
enterprise linux server
6.0
rubyonrails
rails
≤ 3.2.18 · 4.0.0 — 4.0.5 · 4.1.0 — 4.1.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of patches that eliminate the directory-traversal flaw in the implicit-render code.

prevent

Mandates validation of untrusted input to block crafted requests containing path-traversal sequences before they reach the vulnerable render logic.

prevent

Enforces authorization checks on file-system objects so that even a successful traversal cannot expose files the process is not explicitly permitted to read.

References