GHSA-29g5-m8v7-v564 (measured): Measured is vulnerable to Path Traversal attacks during class initialization

ADVISORIES

GHSA-29g5-m8v7-v564
Vendor Advisory

GEM

PATCHED VERSIONS

>= 3.2.1

DESCRIPTION

Impact

A path traversal vulnerability exists where an attacker with access to manipulate inputs when initializing the Measured::Cache::Json class would be able to instruct the library to read arbitrary files.

Patches

Users should update to the latest version.

https://github.com/Shopify/measured/security/advisories/GHSA-29g5-m8v7-v564
https://github.com/Shopify/measured/commit/d6319985a2304d97c085e3dc45c98af554f4be76
https://github.com/advisories/GHSA-29g5-m8v7-v564

RubySec