CVE-2017-5946 (rubyzip): Directory traversal vulnerability in rubyzip

Directory traversal vulnerability in rubyzip

Published: February 27, 2017

SECURITY IDENTIFIERS

CVE: CVE-2017-5946 (NVD)
GHSA: GHSA-gcqq-w6gr-h9j9
Vendor Advisory: https://github.com/rubyzip/rubyzip/issues/315

GEM

rubyzip

SEVERITY

CVSS v3.x: 9.8 (Critical)

CVSS v2.0: 7.5 (High)

PATCHED VERSIONS

>= 1.2.1

DESCRIPTION

The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a directory traversal vulnerability. If a site allows uploading of .zip files, an attacker can upload a malicious file that uses "../" pathname substrings to write arbitrary files to the filesystem.

RubySec