Path traversal in RubyGems - CVE-2018-1000079
Published: April 8, 2018
Vulnerability identifier: #VU11615
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-1000079
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Ruby
Affected software:
RubyGems
RubyGems
Detailed vulnerability description
The vulnerability allows a remote attacker to modify file locations on the target system.
The weakness exists due to the improper handling of pathnames when the affected software installs new components. A remote attacker can persuade the victim into install a malicious RubyGems gem and use directory traversal techniques to write to arbitrary file locations.
The weakness exists due to the improper handling of pathnames when the affected software installs new components. A remote attacker can persuade the victim into install a malicious RubyGems gem and use directory traversal techniques to write to arbitrary file locations.
How to mitigate CVE-2018-1000079
Update to version 2.7.6.