CVE-2022-31163 — Path Traversal in Tzinfo

CWE-22 — Path Traversal CWE-23 — Relative Path Traversal6 documents5 sources

Severity

8.1HIGHNVD

EPSS

5.0%

top 10.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tzinfo Tzinfo Project Tzinfo Debian Ruby-tzinfo +1 more

Timeline

PublishedJul 22

Description

TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data source tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source, time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with `require` on demand. In the affected versions, `TZInfo::Timezone.get` fails to validate time zone i…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages4 packages

▶debiandebian/ruby-tzinfo< ruby-tzinfo 2.0.4-2 (bookworm)

▶CVEListV5tzinfo/tzinfo< 0.3.61+1

▶RubyGemstzinfo/tzinfo1.0.0 — 1.2.10+1

▶NVDtzinfo_project/tzinfo1.0.0 — 1.2.10+1

Also affects: Debian Linux 10.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2022-31163: TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules↗2022-07-22

▶

OSV

TZInfo relative path traversal vulnerability allows loading of arbitrary files↗2022-07-21

▶

GHSA

TZInfo relative path traversal vulnerability allows loading of arbitrary files↗2022-07-21

▶

📋Vendor Advisories

Red Hat

rubygem-tzinfo: arbitrary code execution↗2022-07-22

▶

Debian

CVE-2022-31163: ruby-tzinfo - TZInfo is a Ruby library that provides access to time zone data and allows times...↗2022

▶