CVE-2018-1000544

rubyzip gem rubyzip version 1.2.1 and earlier contains a Directory Traversal vulnerability in Zip::File component that can result in write arbitrary files to the filesystem. This attack appear to be exploitable via If a site allows uploading of .zip files , an attacker can upload a malicious file that contains symlinks or files with absolute pathnames "../" to write arbitrary files to the filesystem..
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

cpe:2.3:a:rubyzip_project:rubyzip:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:*

Information

Published : 2018-06-26 09:29

Updated : 2020-08-24 10:37


NVD link : CVE-2018-1000544

Mitre link : CVE-2018-1000544


JSON object : View

CWE
CWE-434

Unrestricted Upload of File with Dangerous Type

CWE-59

Improper Link Resolution Before File Access ('Link Following')

Advertisement

dedicated server usa

Products Affected

debian

  • debian_linux

redhat

  • cloudforms

rubyzip_project

  • rubyzip