Описание
Tempfile on Windows path traversal vulnerability
There is an unintentional directory creation vulnerability in tmpdir library bundled with Ruby on Windows. And there is also an unintentional file creation vulnerability in tempfile library bundled with Ruby on Windows, because it uses tmpdir internally.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2021-28966
- https://github.com/ruby/tmpdir/pull/8
- https://github.com/ruby/tmpdir/commit/93798c01cb7c10476e50a4d80130a329ba47f348
- https://hackerone.com/reports/1131465
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/tmpdir/CVE-2021-28966.yml
- https://rubygems.org/gems/tmpdir
- https://security.netapp.com/advisory/ntap-20210902-0004
- https://www.ruby-lang.org/en/news/2021/04/05/tempfile-path-traversal-on-windows-cve-2021-28966
Пакеты
Наименование
tmpdir
rubygems
Затронутые версииВерсия исправления
< 0.1.2
0.1.2
Связанные уязвимости
CVSS3: 7.5
ubuntu
больше 4 лет назад
In Ruby through 3.0 on Windows, a remote attacker can submit a crafted path when a Web application handles a parameter with TmpDir.
CVSS3: 7.5
nvd
больше 4 лет назад
In Ruby through 3.0 on Windows, a remote attacker can submit a crafted path when a Web application handles a parameter with TmpDir.
CVSS3: 7.5
debian
больше 4 лет назад
In Ruby through 3.0 on Windows, a remote attacker can submit a crafted ...