Engine Yard Developer Center

May 6, 2014: CVE-2014-0130 Directory Traversal Vulnerability

There is a directory traversal vulnerability in Ruby on Rails. This security update contains the following sections:

  • Issue - security vulnerability summarized.
  • Solution - the recommended solution for most cases.
  • Workaround - alternatives in case you cannot upgrade now or have older versions.
  • FAQs - frequently asked questions.
  • More information - helpful links related to this security vulnerability.

Issue

A security vulnerability was released May 6th, 2014:

Directory traversal vulnerability in Ruby on Rails

There is a directory traversal vulnerability in the 'implicit render' functionality in Ruby on Rails. This vulnerability has been assigned the CVE identifier CVE-2014-0130.

Versions Affected: All supported versions.

Not affected: NONE.

Fixed Versions: 4.1.1, 4.0.5, 3.2.18

Solution

Upgrade Ruby on Rails to the following versions: 4.1.1, 4.0.5, 3.2.18.

Note: We understand that you may not be able to upgrade your version of Ruby on Rails. In this case, implement the workaround described in the next section.

Workaround

If you are not able to upgrade soon you can apply one of the patches attached to the original CVE-2014-0130 advisory:

  • 4-1-directory_traversal.patch - Patch for 4.1 series
  • 4-0-directory_traversal.patch - Patch for 4.0 series
  • 3-2-directory_traversal.patch - Patch for 3.2 series

FAQs

How can I tell which versions I have now?

You can verify the versions you are using with:

machine user$ bundle list rails

More information

For more information about ...See ...

The amended announcement

CVE-2014-0130 AMENDED

The original announcement with the workaround patches

CVE-2014-0130

Ruby on Rails releases

RoR releases

If you have feedback or questions about this page, add a comment below. If you need help, submit a ticket with Engine Yard Support.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Please sign in to leave a comment.

Powered by Zendesk