{"url":"http://public2.vulnerablecode.io/api/packages/359843?format=json","purl":"pkg:deb/debian/rails@2:4.1.8-1?distro=trixie","type":"deb","namespace":"debian","name":"rails","version":"2:4.1.8-1","qualifiers":{"distro":"trixie"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"2:4.2.4-2","latest_non_vulnerable_version":"2:7.2.3.1+dfsg-1","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/27073?format=json","vulnerability_id":"VCID-sg9h-7dqr-xugu","summary":"actionpack vulnerable to Path Traversal\nDirectory traversal vulnerability in `actionpack/lib/action_dispatch/middleware/static.rb` in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when `serve_static_assets` is enabled, allows remote attackers to determine the existence of files outside the application root via a `/..%2F` sequence.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-7818.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-7818.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-7818","reference_id":"","reference_type":"","scores":[{"value":"0.0022","scoring_system":"epss","scoring_elements":"0.44666","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-7818"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7818","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7818"},{"reference_url":"https://github.com/advisories/GHSA-29gr-w57f-rpfw","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-29gr-w57f-rpfw"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-7818.yml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-7818.yml"},{"reference_url":"https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/dCp7duBiQgo","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/dCp7duBiQgo"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-7818","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-7818"},{"reference_url":"https://puppet.com/security/cve/cve-2014-7829","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://puppet.com/security/cve/cve-2014-7829"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1161499","reference_id":"1161499","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1161499"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770934","reference_id":"770934","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770934"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/359843?format=json","purl":"pkg:deb/debian/rails@2:4.1.8-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:4.1.8-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/359826?format=json","purl":"pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ghz-4sfg-2feh"},{"vulnerability":"VCID-5bzk-rhe1-fqdc"},{"vulnerability":"VCID-7zz5-k99f-v3f6"},{"vulnerability":"VCID-f48b-ashx-53bg"},{"vulnerability":"VCID-gbvf-y28h-kqax"},{"vulnerability":"VCID-hdsb-jx4g-fqf6"},{"vulnerability":"VCID-nwk7-sujd-nkc1"},{"vulnerability":"VCID-urpb-uk1z-vqga"},{"vulnerability":"VCID-v3mu-95kt-ufc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/359824?format=json","purl":"pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ghz-4sfg-2feh"},{"vulnerability":"VCID-5bzk-rhe1-fqdc"},{"vulnerability":"VCID-7zz5-k99f-v3f6"},{"vulnerability":"VCID-f48b-ashx-53bg"},{"vulnerability":"VCID-gbvf-y28h-kqax"},{"vulnerability":"VCID-hdsb-jx4g-fqf6"},{"vulnerability":"VCID-nwk7-sujd-nkc1"},{"vulnerability":"VCID-urpb-uk1z-vqga"},{"vulnerability":"VCID-v3mu-95kt-ufc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/359828?format=json","purl":"pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ghz-4sfg-2feh"},{"vulnerability":"VCID-5bzk-rhe1-fqdc"},{"vulnerability":"VCID-7zz5-k99f-v3f6"},{"vulnerability":"VCID-f48b-ashx-53bg"},{"vulnerability":"VCID-gbvf-y28h-kqax"},{"vulnerability":"VCID-hdsb-jx4g-fqf6"},{"vulnerability":"VCID-nwk7-sujd-nkc1"},{"vulnerability":"VCID-urpb-uk1z-vqga"},{"vulnerability":"VCID-v3mu-95kt-ufc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/359827?format=json","purl":"pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie"}],"aliases":["CVE-2014-7818","GHSA-29gr-w57f-rpfw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sg9h-7dqr-xugu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/27000?format=json","vulnerability_id":"VCID-v3u5-6bpb-qfgf","summary":"Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a \\ (backslash) character, a similar issue to CVE-2014-7818.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-7829.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-7829.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-7829","reference_id":"","reference_type":"","scores":[{"value":"0.00265","scoring_system":"epss","scoring_elements":"0.50107","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-7829"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7829","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7829"},{"reference_url":"https://github.com/advisories/GHSA-h56m-vwxc-3qpw","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h56m-vwxc-3qpw"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-7829.yml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-7829.yml"},{"reference_url":"https://groups.google.com/forum/message/raw?msg=rubyonrails-security/rMTQy4oRCGk/loS_CRS8mNEJ","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/message/raw?msg=rubyonrails-security/rMTQy4oRCGk/loS_CRS8mNEJ"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/rMTQy4oRCGk","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/rMTQy4oRCGk"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-7829","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-7829"},{"reference_url":"https://puppet.com/security/cve/cve-2014-7829","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://puppet.com/security/cve/cve-2014-7829"},{"reference_url":"https://web.archive.org/web/20160403085126/http://www.securityfocus.com/bid/71183","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20160403085126/http://www.securityfocus.com/bid/71183"},{"reference_url":"http://weblog.rubyonrails.org/2014/11/19/Rails-4-0-11-1-and-4-1-7-1-have-been-released/","reference_id":"","reference_type":"","scores":[],"url":"http://weblog.rubyonrails.org/2014/11/19/Rails-4-0-11-1-and-4-1-7-1-have-been-released/"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1164659","reference_id":"1164659","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1164659"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770934","reference_id":"770934","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770934"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/359843?format=json","purl":"pkg:deb/debian/rails@2:4.1.8-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:4.1.8-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/359826?format=json","purl":"pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ghz-4sfg-2feh"},{"vulnerability":"VCID-5bzk-rhe1-fqdc"},{"vulnerability":"VCID-7zz5-k99f-v3f6"},{"vulnerability":"VCID-f48b-ashx-53bg"},{"vulnerability":"VCID-gbvf-y28h-kqax"},{"vulnerability":"VCID-hdsb-jx4g-fqf6"},{"vulnerability":"VCID-nwk7-sujd-nkc1"},{"vulnerability":"VCID-urpb-uk1z-vqga"},{"vulnerability":"VCID-v3mu-95kt-ufc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/359824?format=json","purl":"pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ghz-4sfg-2feh"},{"vulnerability":"VCID-5bzk-rhe1-fqdc"},{"vulnerability":"VCID-7zz5-k99f-v3f6"},{"vulnerability":"VCID-f48b-ashx-53bg"},{"vulnerability":"VCID-gbvf-y28h-kqax"},{"vulnerability":"VCID-hdsb-jx4g-fqf6"},{"vulnerability":"VCID-nwk7-sujd-nkc1"},{"vulnerability":"VCID-urpb-uk1z-vqga"},{"vulnerability":"VCID-v3mu-95kt-ufc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/359828?format=json","purl":"pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ghz-4sfg-2feh"},{"vulnerability":"VCID-5bzk-rhe1-fqdc"},{"vulnerability":"VCID-7zz5-k99f-v3f6"},{"vulnerability":"VCID-f48b-ashx-53bg"},{"vulnerability":"VCID-gbvf-y28h-kqax"},{"vulnerability":"VCID-hdsb-jx4g-fqf6"},{"vulnerability":"VCID-nwk7-sujd-nkc1"},{"vulnerability":"VCID-urpb-uk1z-vqga"},{"vulnerability":"VCID-v3mu-95kt-ufc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/359827?format=json","purl":"pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie"}],"aliases":["CVE-2014-7829","GHSA-h56m-vwxc-3qpw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v3u5-6bpb-qfgf"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:4.1.8-1%3Fdistro=trixie"}