GHSA-gcqq-w6gr-h9j9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-gcqq-w6gr-h9j9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-gcqq-w6gr-h9j9/GHSA-gcqq-w6gr-h9j9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-gcqq-w6gr-h9j9
- Aliases
- Published
- 2017-10-24T18:33:35Z
- Modified
- 2024-02-16T08:12:37.749196Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Directory traversal vulnerability in RubyZip
- Details
-
The
Zip::Filecomponent in the rubyzip gem before 1.2.1 for Ruby has a directory traversal vulnerability. If a site allows uploading of .zip files, an attacker can upload a malicious file that uses../pathname substrings to write arbitrary files to the filesystem. - Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-22" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:36:51Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2017-5946
- https://github.com/rubyzip/rubyzip/issues/315
- https://github.com/rubyzip/rubyzip/commit/ce4208fdecc2ad079b05d3c49d70fe6ed1d07016
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubyzip/CVE-2017-5946.yml
- https://github.com/rubyzip/rubyzip
- https://github.com/rubyzip/rubyzip/releases
- https://web.archive.org/web/20200227185727/http://www.securityfocus.com/bid/96445
- http://www.debian.org/security/2017/dsa-3801
Affected packages
RubyGems / rubyzip
Package
- Name
- rubyzip
- Purl
- pkg:gem/rubyzip