CVE-2017-5946
CRITICAL9.8EPSS 5.9%ruby-zip - security update
發布日:2017/10/24修改日:2026/4/28
描述
The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a directory traversal vulnerability. If a site allows uploading of .zip files, an attacker can upload a malicious file that uses "../" pathname substrings to write arbitrary files to the filesystem.
受影響套件(4)
- Debian/libzip-rubyfrom 0, < 0.9.4-1+deb7u1
- Debian/ruby-zipfrom 0, < 1.2.0-1.1
- Debian/ruby-zipfrom 0, < 1.1.6-1+deb8u1
- RubyGems/rubyzipfrom 0, < 1.2.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-5946
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2017-5946
- PATCHhttps://github.com/rubyzip/rubyzip
- WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubyzip/CVE-2017-5946.yml
- WEBhttps://github.com/rubyzip/rubyzip/commit/ce4208fdecc2ad079b05d3c49d70fe6ed1d07016
- WEBhttps://github.com/rubyzip/rubyzip/issues/315
- WEBhttps://github.com/rubyzip/rubyzip/releases
- WEBhttps://web.archive.org/web/20200227185727/http://www.securityfocus.com/bid/96445
- WEBhttp://www.debian.org/security/2017/dsa-3801