Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-v3u5-6bpb-qfgf
Vulnerability ID VCID-v3u5-6bpb-qfgf
Aliases CVE-2014-7829
GHSA-h56m-vwxc-3qpw
Summary Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a \ (backslash) character, a similar issue to CVE-2014-7818.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
generic_textual MODERATE http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html
epss 0.00265 https://api.first.org/data/v1/epss?cve=CVE-2014-7829
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-h56m-vwxc-3qpw
generic_textual MODERATE https://github.com/advisories/GHSA-h56m-vwxc-3qpw
generic_textual MODERATE https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-7829.yml
generic_textual MODERATE https://groups.google.com/forum/message/raw?msg=rubyonrails-security/rMTQy4oRCGk/loS_CRS8mNEJ
generic_textual MODERATE https://groups.google.com/forum/#!topic/rubyonrails-security/rMTQy4oRCGk
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2014-7829
generic_textual MODERATE https://puppet.com/security/cve/cve-2014-7829
generic_textual MODERATE https://web.archive.org/web/20160403085126/http://www.securityfocus.com/bid/71183
Reference id Reference type URL
http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-7829.json
https://api.first.org/data/v1/epss?cve=CVE-2014-7829
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7829
https://github.com/advisories/GHSA-h56m-vwxc-3qpw
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-7829.yml
https://groups.google.com/forum/message/raw?msg=rubyonrails-security/rMTQy4oRCGk/loS_CRS8mNEJ
https://groups.google.com/forum/#!topic/rubyonrails-security/rMTQy4oRCGk
https://nvd.nist.gov/vuln/detail/CVE-2014-7829
https://puppet.com/security/cve/cve-2014-7829
https://web.archive.org/web/20160403085126/http://www.securityfocus.com/bid/71183
http://weblog.rubyonrails.org/2014/11/19/Rails-4-0-11-1-and-4-1-7-1-have-been-released/
1164659 https://bugzilla.redhat.com/show_bug.cgi?id=1164659
770934 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770934
No exploits are available.
Exploit Prediction Scoring System (EPSS)
Percentile 0.50107
EPSS Score 0.00265
Published At May 29, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-29T08:57:17.542525+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-h56m-vwxc-3qpw/GHSA-h56m-vwxc-3qpw.json 38.6.0