SB2018032917 - Path traversal in ruby (Alpine package)
Published: March 29, 2018
Security Bulletin ID
SB2018032917
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Path traversal (CVE-ID: CVE-2018-8780)
The vulnerability allows a remote attacker to obtain potentially sensitive information and write arbitrary files on the target system.The weakness exists in the Dir.open, Dir.new, Dir.entries and Dir.empty? methods due to improper checking of NULL characters. A remote attacker can trigger the unintentional directory traversal.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=0bba17025ab6922c000ede63361dd0220e92ed31
- https://git.alpinelinux.org/aports/commit/?id=1779cab830661bf6686eb27c5b5c3117f8b91cee
- https://git.alpinelinux.org/aports/commit/?id=8e71f2e5fdb9d522368ddca664bf4a3f68864028
- https://git.alpinelinux.org/aports/commit/?id=a491b96c266e9165971fad3460ad3c8371fa5f3d