CVE-2018-1000544

Sažetak

rubyzip gem rubyzip version 1.2.1 and earlier contains a Directory Traversal vulnerability in Zip::File component that can result in write arbitrary files to the filesystem. This attack appear to be exploitable via If a site allows uploading of .zip files , an attacker can upload a malicious file that contains symlinks or files with absolute pathnames "../" to write arbitrary files to the filesystem..

Reference

https://access.redhat.com/errata/RHSA-2018:3466
https://github.com/rubyzip/rubyzip/issues/369
https://lists.debian.org/debian-lts-announce/2018/08/msg00013.html
https://lists.debian.org/debian-lts-announce/2020/08/msg00002.html

CVSS

Base:	7.5
Impact:	6.4
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

24-08-2020 - 17:37

Objavljeno

26-06-2018 - 16:29