gollum Upload File Functionality Permits Arbitrary File Access
Published: September 20, 2015
SECURITY IDENTIFIERS
- CVE: CVE-2015-7314 (NVD)
- GHSA: GHSA-m2q3-53fq-7h66
- OSVDB: OSVDB-127779
- Vendor Advisory: https://github.com/gollum/gollum/commit/ce68a88293ce3b18c261312392ad33a88bb69ea1
GEM
PATCHED VERSIONS
>= 4.0.1
DESCRIPTION
The gollum gem contains a flaw in its upload file functionality that can allow arbitrary file access. This occurs due to a lack of type checking when handling temporary files during the upload process.