Vulnerability Description
The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a directory traversal vulnerability. If a site allows uploading of .zip files, an attacker can upload a malicious file that uses "../" pathname substrings to write arbitrary files to the filesystem.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Rubyzip Project | Rubyzip | < 1.2.1 |
| Debian | Debian Linux | 8.0 |
Related Weaknesses (CWE)
References
- http://www.debian.org/security/2017/dsa-3801Third Party Advisory
- http://www.securityfocus.com/bid/96445Third Party AdvisoryVDB Entry
- https://github.com/rubyzip/rubyzip/issues/315Third Party Advisory
- https://github.com/rubyzip/rubyzip/releasesThird Party Advisory
- http://www.debian.org/security/2017/dsa-3801Third Party Advisory
- http://www.securityfocus.com/bid/96445Third Party AdvisoryVDB Entry
- https://github.com/rubyzip/rubyzip/issues/315Third Party Advisory
- https://github.com/rubyzip/rubyzip/releasesThird Party Advisory
FAQ
What is CVE-2017-5946?
CVE-2017-5946 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a directory traversal vulnerability. If a site allows uploading of .zip files, an attacker can upload a malicious file that uses "....
How severe is CVE-2017-5946?
CVE-2017-5946 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2017-5946?
Check the references section above for vendor advisories and patch information. Affected products include: Rubyzip Project Rubyzip, Debian Debian Linux.