Описание
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.
A flaw was discovered in Ruby in the way certain functions handled strings containing NULL bytes. Specifically, the built-in methods File.fnmatch and its alias File.fnmatch? did not properly handle path patterns containing the NULL byte. A remote attacker could exploit this flaw to make a Ruby script access unexpected files and to bypass intended file system access restrictions.
Меры по смягчению последствий
It is possible to test for presence of the NULL byte manually prior to call the affected methods with an untrusted string.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat 3scale API Management Platform 2 | 3amp-system | Will not fix | ||
| Red Hat Enterprise Linux 5 | ruby | Out of support scope | ||
| Red Hat Enterprise Linux 6 | ruby | Out of support scope | ||
| Red Hat Enterprise Linux 7 | ruby | Will not fix | ||
| Red Hat Software Collections | rh-ruby24-ruby | Will not fix | ||
| Red Hat Enterprise Linux 8 | ruby | Fixed | RHSA-2021:2587 | 29.06.2021 |
| Red Hat Enterprise Linux 8 | ruby | Fixed | RHSA-2021:2588 | 29.06.2021 |
| Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions | ruby | Fixed | RHSA-2022:0581 | 21.02.2022 |
| Red Hat Enterprise Linux 8.2 Extended Update Support | ruby | Fixed | RHSA-2022:0582 | 21.02.2022 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-ruby25-ruby | Fixed | RHSA-2021:2104 | 26.05.2021 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 misha ...
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.
EPSS
6.5 Medium
CVSS3