Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: yard
date: 2017-11-28
url: https://nvd.nist.gov/vuln/detail/CVE-2017-17042
cve: 2017-17042
title: Potential arbitrary file read vulnerability in yard server
description: |
  lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block
  relative paths with an initial ../ sequence, which allows attackers to conduct
  directory traversal attacks and read arbitrary files.
cvss_v2: '5.0'
cvss_v3: '7.5'
patched_versions:
- ">= 0.9.11"