CVE-2019-1020001 (yard): Arbitrary path traversal and file access via `yard server`

Arbitrary path traversal and file access via `yard server`

Published: July 02, 2019

SECURITY IDENTIFIERS

CVE: CVE-2019-1020001 (NVD)
GHSA: GHSA-xfhh-rx56-rxcr
Vendor Advisory: https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr

GEM

yard

SEVERITY

CVSS v3.x: 7.5 (High)

CVSS v2.0: 5.0 (Medium)

PATCHED VERSIONS

>= 0.9.20

DESCRIPTION

A path traversal vulnerability was discovered in YARD <= 0.9.19 when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions.

The issue is resolved in v0.9.20 and later.

https://nvd.nist.gov/vuln/detail/CVE-2019-1020001
https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr

RubySec