RubySec

Providing security resources for the Ruby community

CVE-2021-28966 (tmpdir): Path traversal in Tempfile on Windows

ADVISORIES

GEM

tmpdir

SEVERITY

CVSS v3: 7.5 (High)

PATCHED VERSIONS

  • >= 0.1.2

DESCRIPTION

There is an unintentional directory creation vulnerability in tmpdir library bundled with Ruby on Windows. And there is also an unintentional file creation vulnerability in tempfile library bundled with Ruby on Windows, because it uses tmpdir internally.