Search for packages
| purl | pkg:gem/actionpack@4.2 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-z1jv-4ga2-7kd1
Aliases: CVE-2016-2097 GHSA-vx9j-46rh-fqr8 |
Possible Information Leak Vulnerability Applications that pass unverified user input to the `render` method in a controller may be vulnerable to an information leak vulnerability. Impacted code will look something like this: ``` def index; render params[:id]; end ``` Carefully crafted requests can cause the above code to render files from unexpected places like outside the application's view directory, and can possibly escalate this to a remote code execution attack. | There are no reported fixed by versions. |
|
VCID-zkvd-bfd6-t7dg
Aliases: CVE-2014-7818 GHSA-29gr-w57f-rpfw |
Arbitrary file existence disclosure Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application's root directory. The files will not be served, but attackers can determine whether the file exists. This only impacts Rails applications that enable static file serving at runtime. For example, the application's production configuration will say: `config.serve_static_assets = true` | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T15:18:20.513206+00:00 | Ruby Importer | Affected by | VCID-zkvd-bfd6-t7dg | https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-7818.yml | 38.0.0 |
| 2026-04-01T15:18:20.407689+00:00 | Ruby Importer | Affected by | VCID-z1jv-4ga2-7kd1 | https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-2097.yml | 38.0.0 |