CVE-2018-6914 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2018-6914?

CVE-2018-6914 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-6914?

Check the references section above for vendor advisories and patch information. Affected products include: Ruby-Lang Ruby, Canonical Ubuntu Linux, Debian Debian Linux, Redhat Enterprise Linux.

Vulnerability Description

Directory traversal vulnerability in the Dir.mktmpdir method in the tmpdir library in Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 might allow attackers to create arbitrary directories or files via a .. (dot dot) in the prefix argument.

CVSS Score

7.5

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Ruby-Lang	Ruby	>= 2.2.0, < 2.2.10
Canonical	Ubuntu Linux	14.04
Debian	Debian Linux	7.0
Redhat	Enterprise Linux	6.0

Related Weaknesses (CWE)

CWE-22

References

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
http://www.securityfocus.com/bid/103686Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1042004Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2018:3729Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3730Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3731Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2028
https://lists.debian.org/debian-lts-announce/2018/04/msg00023.htmlThird Party Advisory
https://lists.debian.org/debian-lts-announce/2018/04/msg00024.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.htmlMailing ListThird Party Advisory
https://usn.ubuntu.com/3626-1/Third Party Advisory
https://www.debian.org/security/2018/dsa-4259Third Party Advisory
https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released/PatchRelease Notes
https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released/PatchRelease Notes
https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released/PatchRelease Notes

FAQ

What is CVE-2018-6914?

CVE-2018-6914 is a vulnerability with a CVSS score of 7.5 (HIGH). Directory traversal vulnerability in the Dir.mktmpdir method in the tmpdir library in Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 might allow att...

How severe is CVE-2018-6914?

CVE-2018-6914 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-6914?

Check the references section above for vendor advisories and patch information. Affected products include: Ruby-Lang Ruby, Canonical Ubuntu Linux, Debian Debian Linux, Redhat Enterprise Linux.