Vulnerability Description
Jekyll through 3.6.2, 3.7.x through 3.7.3, and 3.8.x through 3.8.3 allows attackers to access arbitrary files by specifying a symlink in the "include" key in the "_config.yml" file.
CVSS Score
7.5
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jekyllrb | Jekyll | <= 3.6.2 |
Related Weaknesses (CWE)
References
- https://github.com/jekyll/jekyll/pull/7224PatchThird Party Advisory
- https://jekyllrb.com/news/2018/09/19/security-fixes-for-3-6-3-7-3-8/PatchVendor Advisory
- https://lists.apache.org/thread.html/71da391f584b2fb301d2df0e491b279d87287e2fb4b
- https://github.com/jekyll/jekyll/pull/7224PatchThird Party Advisory
- https://jekyllrb.com/news/2018/09/19/security-fixes-for-3-6-3-7-3-8/PatchVendor Advisory
- https://lists.apache.org/thread.html/71da391f584b2fb301d2df0e491b279d87287e2fb4b
FAQ
What is CVE-2018-17567?
CVE-2018-17567 is a vulnerability with a CVSS score of 7.5 (HIGH). Jekyll through 3.6.2, 3.7.x through 3.7.3, and 3.8.x through 3.8.3 allows attackers to access arbitrary files by specifying a symlink in the "include" key in the "_config.yml" file.
How severe is CVE-2018-17567?
CVE-2018-17567 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-17567?
Check the references section above for vendor advisories and patch information. Affected products include: Jekyllrb Jekyll.