All Vulnerability Reports

CVE-2017-5946: Directory Traversal in Rubyzip


Severity

High

Vendor

Rubyzip

Versions Affected
  • All Rubyzip versions prior to 1.2.1
Description

The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a directory traversal vulnerability. If a site allows uploading of .zip files, an attacker can upload a malicious file that uses "../" pathname substrings to write arbitrary files to the filesystem.

Affected Pivotal Products and Versions

Severity is high unless otherwise noted.

  • PCF Operations Manager:
    • 1.6.x versions prior to 1.6.30
    • 1.7.x versions prior to 1.7.24
    • 1.8.x versions prior to 1.8.16
    • 1.9.x versions prior to 1.9.6
  • Please note: PCF Operations Manager 1.10.x and 1.11.x versions are not affected.
Mitigation

Users of affected versions should apply the following mitigation:

  • Releases that have fixed this issue include:
    • PCF Operations Manager: 1.6.30, 1.7.24, 1.8.16, 1.9.6
References