Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: rubyzip
date: 2018-06-14
url: https://github.com/rubyzip/rubyzip/issues/369
cve: 2018-1000544
title: Directory Traversal in rubyzip
description: |
  rubyzip version 1.2.1 and earlier contains a Directory Traversal vulnerability
  in Zip::File component that can result in write arbitrary files to the filesystem.
  If a site allows uploading of .zip files, an attacker can upload a malicious file
  which contains symlinks or files with absolute pathnames "../" to write arbitrary
  files to the filesystem.
patched_versions:
- ">= 1.2.2"
related:
  cve: '["2017-5946"]'
  url: '["https://security-tracker.debian.org/tracker/CVE-2018-1000544"]'