Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: yard
date: 2019-07-02
url: https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr
cve: 2019-1020001
title: Arbitrary path traversal and file access via `yard server`
description: "A path traversal vulnerability was discovered in YARD <= 0.9.19 when
  using \n`yard server` to serve documentation. This bug would allow unsanitized HTTP\nrequests
  to access arbitrary files on the machine of a yard server host under\ncertain conditions.\n\nThe
  issue is resolved in v0.9.20 and later.\n"
cvss_v3: '7.3'
patched_versions:
- ">= 0.9.20"