ADVISORIES

• CVE-2019-1020001 (NVD)
• GHSA-xfhh-rx56-rxcr
• Vendor Advisory

GEM

yard

SEVERITY

CVSS v3.x: 7.5 (High)

CVSS v2.0: 5.0 (Medium)

PATCHED VERSIONS

• >= 0.9.20

DESCRIPTION

A path traversal vulnerability was discovered in YARD <= 0.9.19 when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions.

The issue is resolved in v0.9.20 and later.

RELATED

• https://nvd.nist.gov/vuln/detail/CVE-2019-1020001
• https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr