VDB
CVE-2014-0130
CVE-2014-0130
REJECTED
KEV
Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request.
EPSS 52.71% · 98.0th percentile
Risk Scores
EPSS Score
52.71%
98.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:18.04:LTS | rails | 2:4.2.9-4, *, 0 |
| Ubuntu:16.04:LTS | rails | 0, 2:4.1.10-1, 2:4.2.5-1 |
Timeline
- CVE Published
- Jul 9, 2015 PoC Published
- Feb 4, 2022 EPSS Score
- Mar 25, 2022 CISA KEV Added
- Feb 3, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Jun 14, 2023 PoC Published
- Dec 24, 2024 PoC Published
- Feb 23, 2025 PoC Published
- Mar 17, 2025 EPSS Score
- Mar 20, 2025 EPSS Score
- Mar 27, 2025 EPSS Score
References
- https://ubuntu.com/security/CVE-2014-0130 third-party-advisory
- https://groups.google.com/forum/message/raw?msg=rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2014-0130 third-party-advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog third-party-advisory