VulnerableCode Vulnerability Details - VCID-sg9h-7dqr-xugu

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-sg9h-7dqr-xugu

Essentials
Severities (9)
References (12)
Severity details (8)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-sg9h-7dqr-xugu
Aliases	CVE-2014-7818 GHSA-29gr-w57f-rpfw
Summary	actionpack vulnerable to Path Traversal Directory traversal vulnerability in `actionpack/lib/action_dispatch/middleware/static.rb` in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when `serve_static_assets` is enabled, allows remote attackers to determine the existence of files outside the application root via a `/..%2F` sequence.
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-200	Exposure of Sensitive Information to an Unauthorized Actor
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
generic_textual	MODERATE	http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html
epss	0.0022	https://api.first.org/data/v1/epss?cve=CVE-2014-7818
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-29gr-w57f-rpfw
generic_textual	MODERATE	https://github.com/advisories/GHSA-29gr-w57f-rpfw
generic_textual	MODERATE	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-7818.yml
generic_textual	MODERATE	https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ
generic_textual	MODERATE	https://groups.google.com/forum/#!topic/rubyonrails-security/dCp7duBiQgo
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2014-7818
generic_textual	MODERATE	https://puppet.com/security/cve/cve-2014-7829

Reference id	Reference type	URL
		http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-7818.json
		https://api.first.org/data/v1/epss?cve=CVE-2014-7818
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7818
		https://github.com/advisories/GHSA-29gr-w57f-rpfw
		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-7818.yml
		https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ
		https://groups.google.com/forum/#!topic/rubyonrails-security/dCp7duBiQgo
		https://nvd.nist.gov/vuln/detail/CVE-2014-7818
		https://puppet.com/security/cve/cve-2014-7829
1161499		https://bugzilla.redhat.com/show_bug.cgi?id=1161499
770934		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770934

No exploits are available.

Exploit Prediction Scoring System (EPSS)

Percentile	0.44666
EPSS Score	0.0022
Published At	May 29, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-05-29T08:57:18.929232+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-29gr-w57f-rpfw/GHSA-29gr-w57f-rpfw.json	38.6.0