Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2017-5946

Good to know:

icon

Date: February 27, 2017

The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a directory traversal vulnerability. If a site allows uploading of .zip files, an attacker can upload a malicious file that uses "../" pathname substrings to write arbitrary files to the filesystem.

Language: Ruby

Severity Score

Related Resources (12)

https://nvd.nist.gov/vuln/detail/CVE-2017-5946
http://www.securityfocus.com/bid/96445
https://github.com/advisories/GHSA-3q5q-f79q-7hr2
https://security-tracker.debian.org/tracker/CVE-2017-5946
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubyzip/CVE-2017-5946.yml
https://github.com/rubyzip/rubyzip/releases
http://www.debian.org/security/2017/dsa-3801
https://github.com/rubyzip/rubyzip
https://github.com/rubyzip/rubyzip/commit/ce4208fdecc2ad079b05d3c49d70fe6ed1d07016
https://github.com/rubyzip/rubyzip/issues/315
https://web.archive.org/web/20200227185727/http://www.securityfocus.com/bid/96445
https://www.mend.io/vulnerability-database/CVE-2017-5946

Severity Score

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Top Fix

icon

Upgrade Version

Upgrade to version rubyzip - 1.2.1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): PARTIAL
Availability (A): PARTIAL
Additional information:

Do you need more information?

Contact Us