Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EmrEtlRunner: bump transient dependency rubyzip to ~> 1.2.2 #26

Open
BenFradet opened this issue Feb 13, 2019 · 0 comments
Open

EmrEtlRunner: bump transient dependency rubyzip to ~> 1.2.2 #26

BenFradet opened this issue Feb 13, 2019 · 0 comments

Comments

@BenFradet
Copy link
Contributor

CVE-2018-1000544
moderate severity
Vulnerable versions: <= 1.2.1
Patched version: 1.2.2
rubyzip gem rubyzip version 1.2.1 and earlier contains a Directory Traversal vulnerability in Zip::File component that can result in write arbitrary files to the filesystem. This attack appear to be exploitable via If a site allows uploading of .zip files , an attacker can upload a malicious file that contains symlinks or files with absolute pathnames "../" to write arbitrary files to the filesystem..This is similar to CVE-2017-5946 which was patched in 1.2.1 but the fix in that case was incomplete.
@BenFradet BenFradet changed the title EmrEtlRunner: bump transient dependency rubyzip to ~> 1.2,2 EmrEtlRunner: bump transient dependency rubyzip to ~> 1.2.2 Mar 8, 2019
@peel peel transferred this issue from snowplow/snowplow May 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@BenFradet