CVE-2017-5946
CRITICALrubyzip < 1.2.1 - Path Traversal via Zip::File Component
Title source: llmDescription
The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a directory traversal vulnerability. If a site allows uploading of .zip files, an attacker can upload a malicious file that uses "../" pathname substrings to write arbitrary files to the filesystem.
References (4)
Core 4
Core References
Third Party Advisory x_refsource_confirm
https://github.com/rubyzip/rubyzip/releases
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/96445
Third Party Advisory x_refsource_confirm
https://github.com/rubyzip/rubyzip/issues/315
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2017/dsa-3801
Scores
CVSS v3
9.8
EPSS
0.0592
EPSS Percentile
90.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-22
Status
published
Products (4)
debian/debian_linux
8.0
debian/debian_linux
9.0
rubygems/rubyzip
0 - 1.2.1RubyGems
rubyzip_project/rubyzip
< 1.2.1
Published
Feb 27, 2017
Tracked Since
Feb 18, 2026