RubySec

Providing security resources for the Ruby community

CVE-2019-1020001 (yard): Arbitrary path traversal and file access via `yard server`

ADVISORIES

GEM

yard

SEVERITY

CVSS v3: 7.3

PATCHED VERSIONS

  • >= 0.9.20

DESCRIPTION

A path traversal vulnerability was discovered in YARD <= 0.9.19 when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions.

The issue is resolved in v0.9.20 and later.