---
gem: actionpack
framework: rails
cve: 2014-0130
url: https://groups.google.com/forum/#!topic/rubyonrails-security/NkKc7vTW70o
title: Directory Traversal Vulnerability With Certain Route Configurations
date: 2014-05-06

description: |
  There is a vulnerability in the 'implicit render'
  functionality in Ruby on Rails.The implicit render functionality
  allows controllers to render a template, even if there is no
  explicit action with the corresponding name.  This module does not
  perform adequate input sanitization which could allow an attacker to
  use a specially crafted request to retrieve arbitrary files from the
  rails application server.

cvss_v2: 4.3

patched_versions:
  - ~> 3.2.18
  - ~> 4.0.5
  - ">= 4.1.1"