RubySec

Providing security resources for the Ruby community

CVE-2018-17567 (jekyll): Jekyll _config.yml privilege escalation

ADVISORIES

GEM

jekyll

SEVERITY

CVSS v3: 7.5

PATCHED VERSIONS

  • ~> 3.6.3
  • ~> 3.7.4
  • >= 3.8.4

DESCRIPTION

Jekyll through 3.6.2, 3.7.x through 3.7.3, and 3.8.x through 3.8.3 allows attackers to access arbitrary files by specifying a symlink in the “include” key in the “_config.yml” file.