Possible arbitrary path traversal and file access via `yard server`
Published: July 02, 2019
SECURITY IDENTIFIERS
- GHSA: GHSA-xfhh-rx56-rxcr
- Vendor Advisory: https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr
GEM
PATCHED VERSIONS
>= 0.9.20
DESCRIPTION
A path traversal vulnerability was discovered in YARD <= 0.9.19 when
using yard server to serve documentation. This bug would allow unsanitized HTTP
requests to access arbitrary files on the machine of a yard server host under certain
conditions.