Directory traversal vulnerability in guard-livereload
Published: February 04, 2016
SECURITY IDENTIFIERS
- CVE: CVE-2016-1000305 (NVD)
- Vendor Advisory: https://security.snyk.io/vuln/SNYK-RUBY-GUARDLIVERELOAD-20361
GEM
SEVERITY
CVSS v3.x: 5.3 (Medium)
PATCHED VERSIONS
>= 2.5.2
DESCRIPTION
The vulnerability allows remote attackers to read arbitrary files on the server by exploiting improper path validation in the livereload server functionality.
This vulnerability is related to the handling of file paths in the livereload server component, which could allow an attacker to traverse directories and access files outside the intended web root directory.
The issue was identified and reported through the DWF (Distributed Weakness Filing) project, which assigns CVE identifiers for security vulnerabilities.
A directory traversal vulnerability exists in guard-livereload before version 2.5.2.
RELATED
- https://security.snyk.io/vuln/SNYK-RUBY-GUARDLIVERELOAD-20361
- https://rubygems.org/gems/guard-livereload/versions/2.5.2
- https://github.com/guard/guard-livereload/releases/tag/v2.5.2
- https://github.com/guard/guard-livereload/pull/158
- https://github.com/guard/guard-livereload/pull/158/changes/a24c99e4ce4542d16f5a578df8d47b1275feca46
- https://github.com/guard/guard-livereload/issues/159
- https://github.com/rubysec/ruby-advisory-db/issues/289
- https://github.com/rubysec/ruby-advisory-db/pull/1026