Sha256: ece3156eb371630f35f906387a9028b0bab78bcd97a3244b29a19ee45f609c1f
Contents?: true
Size: 1.17 KB
Versions: 3
Compression:
Stored size: 1.17 KB
Contents
--- engine: ruby cve: 2018-6914 url: https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/ title: Unintentional file and directory creation with directory traversal in tempfile and tmpdir date: 2018-03-28 description: | There is an unintentional directory creation vulnerability in tmpdir library bundled with Ruby. And there is also an unintentional file creation vulnerability in tempfile library bundled with Ruby, because it uses tmpdir internally `Dir.mktmpdir` method introduced by tmpdir library accepts the prefix and the suffix of the directory which is created as the first parameter. The prefix can contain relative directory specifiers `../`, so this method can be used to target any directory. So, if a script accepts an external input as the prefix, and the targeted directory has inappropriate permissions or the ruby process has inappropriate privileges, the attacker can create a directory or a file at any directory. All users running an affected release should upgrade immediately. patched_versions: - "~> 2.2.10" - "~> 2.3.7" - "~> 2.4.4" - "~> 2.5.1" - "> 2.6.0-preview1"
Version data entries
3 entries across 3 versions & 2 rubygems