---
gem: yard
cve: 2019-1020001
ghsa: xfhh-rx56-rxcr
url: https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr
date: 2019-07-02
title: Arbitrary path traversal and file access via `yard server`
description: |
  A path traversal vulnerability was discovered in YARD <= 0.9.19 when using 
  `yard server` to serve documentation. This bug would allow unsanitized HTTP
  requests to access arbitrary files on the machine of a yard server host under
  certain conditions.

  The issue is resolved in v0.9.20 and later.
patched_versions:
  - ">= 0.9.20"
cvss_v3: 7.3