---
engine: ruby
cve: 2018-6914
url: https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/
title: Unintentional file and directory creation with directory traversal in tempfile and tmpdir
date: 2018-03-28
description: |
  There is an unintentional directory creation vulnerability in tmpdir library
  bundled with Ruby. And there is also an unintentional file creation
  vulnerability in tempfile library bundled with Ruby, because it uses tmpdir
  internally

  `Dir.mktmpdir` method introduced by tmpdir library accepts the prefix and the
  suffix of the directory which is created as the first parameter. The prefix can
  contain relative directory specifiers `../`, so this method can be used to
  target any directory. So, if a script accepts an external input as the prefix,
  and the targeted directory has inappropriate permissions or the ruby process
  has inappropriate privileges, the attacker can create a directory or a file at
  any directory.

  All users running an affected release should upgrade immediately.
patched_versions:
  - "~> 2.2.10"
  - "~> 2.3.7"
  - "~> 2.4.4"
  - "~> 2.5.1"
  - "> 2.6.0-preview1"