CVE-2014-0130
Published: 07 May 2014
Summary
CVE-2014-0130 is a high-severity Path Traversal (CWE-22) vulnerability in Rubyonrails Rails. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a directory traversal flaw (CWE-22) in the implicit-render implementation within actionpack/lib/abstract_controller/base.rb of Ruby on Rails. It affects versions prior to 3.2.18, 4.0.x prior to 4.0.5, and 4.1.x prior to 4.1.1 when specific route globbing configurations are enabled, and carries a CVSS 3.1 score of 7.5 with high impact on confidentiality.
Remote attackers unauthenticated over the network can exploit the issue by submitting a crafted request that traverses directories, enabling them to read arbitrary files on the affected system.
Official advisories including the Ruby on Rails security announcement and Red Hat RHSA-2014-1863 recommend upgrading to the fixed releases 3.2.18, 4.0.5, or 4.1.1; the accompanying Matasano analysis provides additional technical detail on the route-globbing trigger and exploitation path.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-0180
Vulnerability details
Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request.
- CWE(s)
- KEV Date Added
- 25 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of patches that eliminate the directory-traversal flaw in the implicit-render code.
Mandates validation of untrusted input to block crafted requests containing path-traversal sequences before they reach the vulnerable render logic.
Enforces authorization checks on file-system objects so that even a successful traversal cannot expose files the process is not explicitly permitted to read.