{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-02-27T00:00:00", "descriptions": [{"lang": "en", "value": "The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a directory traversal vulnerability. If a site allows uploading of .zip files, an attacker can upload a malicious file that uses \"../\" pathname substrings to write arbitrary files to the filesystem."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-11-03T18:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rubyzip/rubyzip/releases"}, {"name": "96445", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/96445"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rubyzip/rubyzip/issues/315"}, {"name": "DSA-3801", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2017/dsa-3801"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-5946", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a directory traversal vulnerability. If a site allows uploading of .zip files, an attacker can upload a malicious file that uses \"../\" pathname substrings to write arbitrary files to the filesystem."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/rubyzip/rubyzip/releases", "refsource": "CONFIRM", "url": "https://github.com/rubyzip/rubyzip/releases"}, {"name": "96445", "refsource": "BID", "url": "http://www.securityfocus.com/bid/96445"}, {"name": "https://github.com/rubyzip/rubyzip/issues/315", "refsource": "CONFIRM", "url": "https://github.com/rubyzip/rubyzip/issues/315"}, {"name": "DSA-3801", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2017/dsa-3801"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T15:18:49.419Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/rubyzip/rubyzip/releases"}, {"name": "96445", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/96445"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/rubyzip/rubyzip/issues/315"}, {"name": "DSA-3801", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2017/dsa-3801"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-5946", "datePublished": "2017-02-27T07:25:00", "dateReserved": "2017-02-09T00:00:00", "dateUpdated": "2024-08-05T15:18:49.419Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rubyzip_project:rubyzip:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "AE0F706C-927B-4BF2-99D1-C0F3C37605CF", "versionEndExcluding": "1.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a directory traversal vulnerability. If a site allows uploading of .zip files, an attacker can upload a malicious file that uses \"../\" pathname substrings to write arbitrary files to the filesystem."}, {"lang": "es", "value": "El componente Zip::File en la gema rubyzip en versiones anteriores a 1.2.1 para Ruby tiene una vulnerabilidad de salto de directorio. Si un sitio permite la carga de archivos .zip, un atacante puede cargar un archivo malicioso que utiliza subcadenas de nombre de ruta \"../\" para escribir archivos arbitrarios en el sistema de archivos."}], "id": "CVE-2017-5946", "lastModified": "2020-05-14T12:47:54.973", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-02-27T07:59:00.317", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2017/dsa-3801"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/96445"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/rubyzip/rubyzip/issues/315"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/rubyzip/rubyzip/releases"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "rubygem-rubyzip: Directory traversal in the Zip::File component", "id": "1427937", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1427937"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-22", "details": ["The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a directory traversal vulnerability. If a site allows uploading of .zip files, an attacker can upload a malicious file that uses \"../\" pathname substrings to write arbitrary files to the filesystem."], "name": "CVE-2017-5946", "package_state": [{"cpe": "cpe:/a:redhat:qci:1.0::el7", "fix_state": "Under investigation", "package_name": "tfm-rubygem-rubyzip", "product_name": "Red Hat Quickstart Cloud Installer 1"}], "public_date": "2017-02-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-5946\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-5946"], "statement": "This issue affects the versions of rubygem-rubyzip as shipped with Red Hat Quick Cloud Installer. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "threat_severity": "Moderate", "upstream_fix": "rubyzip 1.2.1"}