CVE-2017-5946
CRITICAL9.8EPSS 5.9%ruby-zip - security update
Published: 10/24/2017Modified: 4/28/2026
Description
The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a directory traversal vulnerability. If a site allows uploading of .zip files, an attacker can upload a malicious file that uses "../" pathname substrings to write arbitrary files to the filesystem.
Affected packages (4)
- Debian/libzip-rubyfrom 0, < 0.9.4-1+deb7u1
- Debian/ruby-zipfrom 0, < 1.2.0-1.1
- Debian/ruby-zipfrom 0, < 1.1.6-1+deb8u1
- RubyGems/rubyzipfrom 0, < 1.2.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-5946
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2017-5946
- PATCHhttps://github.com/rubyzip/rubyzip
- WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubyzip/CVE-2017-5946.yml
- WEBhttps://github.com/rubyzip/rubyzip/commit/ce4208fdecc2ad079b05d3c49d70fe6ed1d07016
- WEBhttps://github.com/rubyzip/rubyzip/issues/315
- WEBhttps://github.com/rubyzip/rubyzip/releases
- WEBhttps://web.archive.org/web/20200227185727/http://www.securityfocus.com/bid/96445
- WEBhttp://www.debian.org/security/2017/dsa-3801