CVE-2018-1000073

Improper Link Resolution Before File Access ('Link Following') in maven/org.jruby/jruby-stdlib

Identifiers

GHSA-gx69-6cp4-hxrj, CVE-2018-1000073

Package Slug

maven/org.jruby/jruby-stdlib

Vulnerability

Improper Link Resolution Before File Access ('Link Following')

Description

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6.

Affected Versions

All versions before 9.1.16.0

Solution

Upgrade to version 9.1.16.0 or above.

Last Modified

2023-03-09

source