RubyGems Link Following vulnerability
High severity
GitHub Reviewed
Published
May 13, 2022
to the GitHub Advisory Database
•
Updated Mar 9, 2023
Description
Published by the National Vulnerability Database
Mar 13, 2018
Published to the GitHub Advisory Database
May 13, 2022
Reviewed
Mar 8, 2023
Last updated
Mar 9, 2023
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in
install_location
function ofpackage.rb
that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6.References