In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the Dir.open, Dir.new, Dir.entries and Dir.empty? methods do not check NULL characters. When using the corresponding method, unintentional directory traversal may be performed.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
21 Nov 2024, 04:14
Type | Values Removed | Values Added |
---|---|---|
References | () http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html - | |
References | () http://www.securityfocus.com/bid/103739 - Third Party Advisory, VDB Entry | |
References | () http://www.securitytracker.com/id/1042004 - Third Party Advisory, VDB Entry | |
References | () https://access.redhat.com/errata/RHSA-2018:3729 - Third Party Advisory | |
References | () https://access.redhat.com/errata/RHSA-2018:3730 - Third Party Advisory | |
References | () https://access.redhat.com/errata/RHSA-2018:3731 - Third Party Advisory | |
References | () https://access.redhat.com/errata/RHSA-2019:2028 - | |
References | () https://access.redhat.com/errata/RHSA-2020:0542 - | |
References | () https://access.redhat.com/errata/RHSA-2020:0591 - | |
References | () https://access.redhat.com/errata/RHSA-2020:0663 - | |
References | () https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html - Mailing List, Third Party Advisory | |
References | () https://lists.debian.org/debian-lts-announce/2018/04/msg00024.html - Mailing List, Third Party Advisory | |
References | () https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html - Mailing List, Third Party Advisory | |
References | () https://usn.ubuntu.com/3626-1/ - Third Party Advisory | |
References | () https://www.debian.org/security/2018/dsa-4259 - Third Party Advisory | |
References | () https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/ - Vendor Advisory | |
References | () https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released/ - Patch, Vendor Advisory | |
References | () https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released/ - Patch, Vendor Advisory | |
References | () https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released/ - Patch, Vendor Advisory | |
References | () https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released/ - Patch, Vendor Advisory |
Information
Published : 2018-04-03 22:29
Updated : 2024-11-21 04:14
NVD link : CVE-2018-8780
Mitre link : CVE-2018-8780
CVE.ORG link : CVE-2018-8780
JSON object : View
Products Affected
canonical
- ubuntu_linux
debian
- debian_linux
ruby-lang
- ruby
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')