---
gem: actionpack
framework: rails
cve: 2014-7829
url: https://groups.google.com/forum/#!topic/rubyonrails-security/rMTQy4oRCGk
title: Arbitrary file existence disclosure in Action Pack
date: 2014-11-17

description: |
  Specially crafted requests can be used to determine whether a file exists on
  the filesystem that is outside the Rails application's root directory.  The
  files will not be served, but attackers can determine whether or not the file
  exists.  This vulnerability is very similar to CVE-2014-7818, but the
  specially crafted string is slightly different.

cvss_v2: 5.0

unaffected_versions:
  - "< 3.0.0"

patched_versions:
  - ~> 3.2.21
  - ~> 4.0.11.1
  - ~> 4.0.12
  - ~> 4.1.7.1
  - ">= 4.1.8"