There is a directory traversal vulnerability in Ruby on Rails. This security update contains the following sections:
- Issue - security vulnerability summarized.
- Solution - the recommended solution for most cases.
- Workaround - alternatives in case you cannot upgrade now or have older versions.
- FAQs - frequently asked questions.
- More information - helpful links related to this security vulnerability.
A security vulnerability was released May 6th, 2014:
Directory traversal vulnerability in Ruby on Rails
There is a directory traversal vulnerability in the 'implicit render' functionality in Ruby on Rails. This vulnerability has been assigned the CVE identifier CVE-2014-0130.
Versions Affected: All supported versions.
Not affected: NONE.
Fixed Versions: 4.1.1, 4.0.5, 3.2.18
Upgrade Ruby on Rails to the following versions: 4.1.1, 4.0.5, 3.2.18.
Note: We understand that you may not be able to upgrade your version of Ruby on Rails. In this case, implement the workaround described in the next section.
If you are not able to upgrade soon you can apply one of the patches attached to the original CVE-2014-0130 advisory:
- 4-1-directory_traversal.patch - Patch for 4.1 series
- 4-0-directory_traversal.patch - Patch for 4.0 series
- 3-2-directory_traversal.patch - Patch for 3.2 series
How can I tell which versions I have now?
You can verify the versions you are using with:
machine user$ bundle list rails
|For more information about ...||See ...|
The amended announcement
The original announcement with the workaround patches
Ruby on Rails releases
If you have feedback or questions about this page, add a comment below. If you need help, submit a ticket with Engine Yard Support.