CVE-2021-28966 (tmpdir): Path traversal in Tempfile on Windows

Path traversal in Tempfile on Windows

Published: April 05, 2021

SECURITY IDENTIFIERS

CVE: CVE-2021-28966 (NVD)
GHSA: GHSA-46f2-3v63-3xrp
Vendor Advisory: https://www.ruby-lang.org/en/news/2021/04/05/tempfile-path-traversal-on-windows-cve-2021-28966/

GEM

tmpdir

SEVERITY

CVSS v3.x: 7.5 (High)

PATCHED VERSIONS

>= 0.1.2

DESCRIPTION

There is an unintentional directory creation vulnerability in tmpdir library bundled with Ruby on Windows. And there is also an unintentional file creation vulnerability in tempfile library bundled with Ruby on Windows, because it uses tmpdir internally.

CVE-2018-6914 (NVD)
https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/

RubySec