Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2018-6914

Опубликовано: 03 апр. 2018
Источник: debian

Описание

Directory traversal vulnerability in the Dir.mktmpdir method in the tmpdir library in Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 might allow attackers to create arbitrary directories or files via a .. (dot dot) in the prefix argument.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
ruby2.5fixed2.5.1-1package
ruby2.3removedpackage
ruby2.1removedpackage
ruby1.9.1removedpackage
ruby1.8removedpackage

Примечания

  • https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/

  • https://hackerone.com/reports/302298

  • Fixed by: https://github.com/ruby/ruby/commit/10b96900b90914b0cc1dba36f9736c038db2859d

  • Fixed by: https://github.com/ruby/ruby/commit/e9ddf2ba41a0bffe1047e33576affd48808c5d0b (2.2.10)

Связанные уязвимости

ubuntu логотип

CVE-2018-6914

CVSS3: 7.5
ubuntu
почти 8 лет назад

Directory traversal vulnerability in the Dir.mktmpdir method in the tmpdir library in Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 might allow attackers to create arbitrary directories or files via a .. (dot dot) in the prefix argument.

redhat логотип

CVE-2018-6914

CVSS3: 3.7
redhat
почти 8 лет назад

Directory traversal vulnerability in the Dir.mktmpdir method in the tmpdir library in Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 might allow attackers to create arbitrary directories or files via a .. (dot dot) in the prefix argument.

nvd логотип

CVE-2018-6914

CVSS3: 7.5
nvd
почти 8 лет назад

Directory traversal vulnerability in the Dir.mktmpdir method in the tmpdir library in Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 might allow attackers to create arbitrary directories or files via a .. (dot dot) in the prefix argument.

github логотип

GHSA-wpg3-wgm5-rv8w

CVSS3: 7.5
github
больше 3 лет назад

Directory traversal vulnerability in the Dir.mktmpdir method in the tmpdir library in Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 might allow attackers to create arbitrary directories or files via a .. (dot dot) in the prefix argument.

fstec логотип

BDU:2019-04470

CVSS3: 7.5
fstec
почти 8 лет назад

Уязвимость метода Dir.mktmpdir библиотеки tmpdir интерпретатора языка программирования Ruby, позволяющая нарушителю записать произвольные файлы в файловую систему