GHSA-gj4p-3wh3-2rmf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-gj4p-3wh3-2rmf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/12/GHSA-gj4p-3wh3-2rmf/GHSA-gj4p-3wh3-2rmf.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-gj4p-3wh3-2rmf
- Aliases
- Published
- 2017-12-21T00:47:25Z
- Modified
- 2024-02-16T08:20:04.010887Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Arbitrary file read vulnerability in yard server
- Details
-
lib/yard/core_ext/file.rbin the server in YARD before 0.9.11 does not block relative paths with an initial../sequence, which allows attackers to conduct directory traversal attacks and read arbitrary files. - Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-22" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:37:31Z" }- References
Affected packages
RubyGems / yard
Package
- Name
- yard
- Purl
- pkg:gem/yard
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.9.11
Affected versions
0.*
0.2.0
0.2.1
0.2.2
0.2.3
0.2.3.2
0.2.3.3
0.2.3.4
0.2.3.5
0.4.0
0.5.0
0.5.1p1
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.5.7
0.5.8
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.8.0
0.8.1
0.8.2
0.8.2.1
0.8.3
0.8.4
0.8.4.1
0.8.5
0.8.5.1
0.8.5.2
0.8.6
0.8.6.1
0.8.6.2
0.8.7
0.8.7.1
0.8.7.2
0.8.7.3
0.8.7.4
0.8.7.5
0.8.7.6
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9
0.9.10