CVE-2021-28966 — Path Traversal in Ruby

Severity

7.5HIGHNVD

EPSS

0.3%

top 42.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Timeline

PublishedJul 30

Description

In Ruby through 3.0 on Windows, a remote attacker can submit a crafted path when a Web application handles a parameter with TmpDir.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

▶NVDruby-lang/ruby3.0.0 — 3.0.1+1

▶Alpineruby-lang/ruby< 2.5.9-r0+13

OSV

CVE-2021-28966: In Ruby through 3↗2021-07-30

▶

CVEList

CVE-2021-28966: In Ruby through 3↗2021-07-27

▶

GHSA

Tempfile on Windows path traversal vulnerability↗2021-05-06

▶

OSV

Tempfile on Windows path traversal vulnerability↗2021-05-06

▶

Debian

CVE-2021-28966: ruby2.7 - In Ruby through 3.0 on Windows, a remote attacker can submit a crafted path when...↗2021

▶