{ "threat_severity" : "Low", "public_date" : "2014-10-31T00:00:00Z", "bugzilla" : { "description" : "rubygem-sprockets: arbitrary file existence disclosure", "id" : "1161527", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1161527" }, "cvss" : { "cvss_base_score" : "5.0", "cvss_scoring_vector" : "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-22->CWE-200", "details" : [ "Multiple directory traversal vulnerabilities in server.rb in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding." ], "statement" : "Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "acknowledgement" : "Red Hat would like to thank Ruby on Rails project for reporting this issue.", "affected_release" : [ { "product_name" : "CloudForms Management Engine 5.4", "release_date" : "2015-06-16T00:00:00Z", "advisory" : "RHBA-2015:1100", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package" : "cfme-0:5.4.0.5-1.el6cf" }, { "product_name" : "CloudForms Management Engine 5.4", "release_date" : "2015-06-16T00:00:00Z", "advisory" : "RHBA-2015:1100", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package" : "cfme-gemset-0:5.4.0.5-1.el6cf" }, { "product_name" : "CloudForms Management Engine 5.4", "release_date" : "2015-06-16T00:00:00Z", "advisory" : "RHBA-2015:1100", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package" : "cfme-vnc-plugin-0:1.0.0-2.el6cf" }, { "product_name" : "CloudForms Management Engine 5.4", "release_date" : "2015-06-16T00:00:00Z", "advisory" : "RHBA-2015:1100", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package" : "libdnet-0:1.12-11.el6cf" }, { "product_name" : "CloudForms Management Engine 5.4", "release_date" : "2015-06-16T00:00:00Z", "advisory" : "RHBA-2015:1100", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package" : "lshw-0:B.02.16-4.el6cf" }, { "product_name" : "CloudForms Management Engine 5.4", "release_date" : "2015-06-16T00:00:00Z", "advisory" : "RHBA-2015:1100", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package" : "netapp-manageability-sdk-0:4.0P1-3.el6cf" }, { "product_name" : "CloudForms Management Engine 5.4", "release_date" : "2015-06-16T00:00:00Z", "advisory" : "RHBA-2015:1100", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package" : "open-vm-tools-0:9.2.3-5.el6cf" }, { "product_name" : "CloudForms Management Engine 5.4", "release_date" : "2015-06-16T00:00:00Z", "advisory" : "RHBA-2015:1100", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package" : "prince-0:9.0r2-4.el6cf" }, { "product_name" : "CloudForms Management Engine 5.4", "release_date" : "2015-06-16T00:00:00Z", "advisory" : "RHBA-2015:1100", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package" : "pyliblzma-0:0.5.3-7.el6cf" }, { "product_name" : "CloudForms Management Engine 5.4", "release_date" : "2015-06-16T00:00:00Z", "advisory" : "RHBA-2015:1100", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package" : "ruby200-rubygem-bcrypt-ruby-0:3.0.1-2.el6cf" }, { "product_name" : "CloudForms Management Engine 5.4", "release_date" : "2015-06-16T00:00:00Z", "advisory" : "RHBA-2015:1100", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package" : "ruby200-rubygem-eventmachine-0:1.0.7-2.el6cf" }, { "product_name" : "CloudForms Management Engine 5.4", "release_date" : "2015-06-16T00:00:00Z", "advisory" : "RHBA-2015:1100", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package" : "ruby200-rubygem-ffi-0:1.9.8-1.el6cf" }, { "product_name" : "CloudForms Management Engine 5.4", "release_date" : "2015-06-16T00:00:00Z", "advisory" : "RHBA-2015:1100", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package" : "ruby200-rubygem-io-extra-0:1.2.8-1.el6cf" }, { "product_name" : "CloudForms Management Engine 5.4", "release_date" : "2015-06-16T00:00:00Z", "advisory" : "RHBA-2015:1100", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package" : "ruby200-rubygem-json-0:1.8.2-2.el6cf" }, { "product_name" : "CloudForms Management Engine 5.4", "release_date" : "2015-06-16T00:00:00Z", "advisory" : "RHBA-2015:1100", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package" : "ruby200-rubygem-nokogiri-0:1.5.11-2.el6cf" }, { "product_name" : "CloudForms Management Engine 5.4", "release_date" : "2015-06-16T00:00:00Z", "advisory" : "RHBA-2015:1100", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package" : "ruby200-rubygem-pg-0:0.12.2-9.el6cf" }, { "product_name" : "CloudForms Management Engine 5.4", "release_date" : "2015-06-16T00:00:00Z", "advisory" : "RHBA-2015:1100", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package" : "ruby200-rubygem-psych-0:2.0.13-1.el6cf" }, { "product_name" : "CloudForms Management Engine 5.4", "release_date" : "2015-06-16T00:00:00Z", "advisory" : "RHBA-2015:1100", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package" : "ruby200-rubygem-qpid_messaging-0:0.20.2-5.el6cf" }, { "product_name" : "CloudForms Management Engine 5.4", "release_date" : "2015-06-16T00:00:00Z", "advisory" : "RHBA-2015:1100", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package" : "ruby200-rubygem-therubyracer-0:0.11.0-5.el6cf" }, { "product_name" : "CloudForms Management Engine 5.4", "release_date" : "2015-06-16T00:00:00Z", "advisory" : "RHBA-2015:1100", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package" : "ruby200-rubygem-thin-0:1.3.1-9.el6cf" }, { "product_name" : "CloudForms Management Engine 5.4", "release_date" : "2015-06-16T00:00:00Z", "advisory" : "RHBA-2015:1100", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package" : "sneakernet_ca-0:0.1-2.el6cf" }, { "product_name" : "CloudForms Management Engine 5.4", "release_date" : "2015-06-16T00:00:00Z", "advisory" : "RHBA-2015:1100", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package" : "wmi-0:1.3.14-1.el6cf" } ], "package_state" : [ { "product_name" : "OpenStack Foreman", "fix_state" : "Will not fix", "package_name" : "ruby193-rubygem-sprockets", "cpe" : "cpe:/a:redhat:openstack-installer:5" }, { "product_name" : "Red Hat OpenStack Platform 4", "fix_state" : "Will not fix", "package_name" : "ruby193-rubygem-sprockets", "cpe" : "cpe:/a:redhat:openstack:4" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Will not fix", "package_name" : "ruby193-rubygem-sprockets", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Will not fix", "package_name" : "ror40-rubygem-sprockets", "cpe" : "cpe:/a:redhat:rhel_software_collections:1" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Will not fix", "package_name" : "ruby193-rubygem-sprockets", "cpe" : "cpe:/a:redhat:rhel_software_collections:1" }, { "product_name" : "Red Hat Subscription Asset Manager", "fix_state" : "Will not fix", "package_name" : "ruby193-rubygem-sprockets", "cpe" : "cpe:/a:rhel_sam:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2014-7819\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-7819\nhttps://groups.google.com/forum/#!topic/rubyonrails-security/doAVp0YaTqY" ], "name" : "CVE-2014-7819", "csaw" : false }