RubySec

Providing security resources for the Ruby community

CVE-2017-5946 (rubyzip): Directory traversal vulnerability in rubyzip

ADVISORIES

GEM

rubyzip

SEVERITY

CVSS v3: 9.8

CVSS v2: 7.5

PATCHED VERSIONS

  • >= 1.2.1

DESCRIPTION

The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a directory traversal vulnerability. If a site allows uploading of .zip files, an attacker can upload a malicious file that uses “../” pathname substrings to write arbitrary files to the filesystem.