---
gem: rubyzip
date: 2018-06-14
url: https://github.com/rubyzip/rubyzip/issues/369
cve: 2018-1000544
title: Directory Traversal in rubyzip
description: |
  rubyzip version 1.2.1 and earlier contains a Directory Traversal vulnerability
  in Zip::File component that can result in write arbitrary files to the filesystem.
  If a site allows uploading of .zip files, an attacker can upload a malicious file
  which contains symlinks or files with absolute pathnames "../" to write arbitrary
  files to the filesystem.
patched_versions:
  - ">= 1.2.2"
related:
  cve:
    - 2017-5946
  url:
    - https://security-tracker.debian.org/tracker/CVE-2018-1000544