Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at

Advisory Archive


gem: yard
date: 2019-07-02
cve: 2019-1020001
title: Arbitrary path traversal and file access via `yard server`
description: "A path traversal vulnerability was discovered in YARD <= 0.9.19 when
  using \n`yard server` to serve documentation. This bug would allow unsanitized HTTP\nrequests
  to access arbitrary files on the machine of a yard server host under\ncertain conditions.\n\nThe
  issue is resolved in v0.9.20 and later.\n"
cvss_v3: '7.3'
- ">= 0.9.20"