Ruby CVE-2018-8780 Directory Traversal Vulnerability
BID:103739
CVE-2018-8780 |Info
Ruby CVE-2018-8780 Directory Traversal Vulnerability
| Bugtraq ID: | 103739 |
| Class: | Input Validation Error |
| CVE: |
CVE-2018-8780 |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 28 2018 12:00AM |
| Updated: | Mar 28 2018 12:00AM |
| Credit: | ooooooo_q |
| Vulnerable: |
Ruby-Lang Ruby 2.4.3 Ruby-Lang Ruby 2.4.2 Ruby-Lang Ruby 2.4.1 Ruby-Lang Ruby 2.3.6 Ruby-Lang Ruby 2.3.5 Ruby-Lang Ruby 2.3.4 Ruby-Lang Ruby 2.3 Ruby-Lang Ruby 2.2.9 Ruby-Lang Ruby 2.2.8 Ruby-Lang Ruby 2.2.7 Ruby-Lang Ruby 2.2 Ruby-Lang Ruby 2.1.4 Ruby-Lang Ruby 2.1.3 Ruby-Lang Ruby 2.1.2 Ruby-Lang Ruby 2.0 rc2 Ruby-Lang Ruby 1.9 Ruby-Lang Ruby 1.8.7 p72 Ruby-Lang Ruby 1.8.7 p71 Ruby-Lang Ruby 1.8.5 Ruby-Lang Ruby 2.6.0-preview1 Ruby-Lang Ruby 2.5.0 Ruby-Lang Ruby 2.4.0 Ruby-Lang Ruby 2.2.2 Ruby-Lang Ruby 2.1.6 Ruby-Lang Ruby 2.1.5 Ruby-Lang Ruby 2.1.2p168 Ruby-Lang Ruby 2.1.1 Ruby-Lang Ruby 2.1 Preview1 Ruby-Lang Ruby 2.1 - Ruby-Lang Ruby 2.0.0-p594 Ruby-Lang Ruby 2.0.0 RC1 Ruby-Lang Ruby 2.0.0 Preview2 Ruby-Lang Ruby 2.0.0 Preview1 Ruby-Lang Ruby 2.0.0 patchlevel 645 Ruby-Lang Ruby 2.0.0 P598 Ruby-Lang Ruby 2.0.0 P247 Ruby-Lang Ruby 2.0.0 P195 Ruby-Lang Ruby 2.0.0 P0 Ruby-Lang Ruby 2.0.0 Ruby-Lang Ruby 1.9.3-p550 Ruby-Lang Ruby 1.9.3 P551 Ruby-Lang Ruby 1.9.3 P429 Ruby-Lang Ruby 1.9.3 P426 Ruby-Lang Ruby 1.9.3 P392 Ruby-Lang Ruby 1.9.3 P385 Ruby-Lang Ruby 1.9.3 P383 Ruby-Lang Ruby 1.9.3 P286 Ruby-Lang Ruby 1.9.3 P194 Ruby-Lang Ruby 1.9.3 P125 Ruby-Lang Ruby 1.9.3 P0 Ruby-Lang Ruby 1.9.3 Ruby-Lang Ruby 1.9.2-p330 Ruby-Lang Ruby 1.9.2 Ruby-Lang Ruby 1.9.1 Ruby-Lang Ruby 1.9 Ruby-Lang Ruby 1.8.7 Preview4 Ruby-Lang Ruby 1.8.7 Preview3 Ruby-Lang Ruby 1.8.7 Preview2 Ruby-Lang Ruby 1.8.7 Preview1 Ruby-Lang Ruby 1.8.7 P374 Ruby-Lang Ruby 1.8.7 P373 Ruby-Lang Ruby 1.8.7 P371 Ruby-Lang Ruby 1.8.7 P370 Ruby-Lang Ruby 1.8.7 P358 Ruby-Lang Ruby 1.8.7 P357 Ruby-Lang Ruby 1.8.7 P352 Ruby-Lang Ruby 1.8.7 P334 Ruby-Lang Ruby 1.8.7 P330 Ruby-Lang Ruby 1.8.7 P302 Ruby-Lang Ruby 1.8.7 P301 Ruby-Lang Ruby 1.8.7 P299 Ruby-Lang Ruby 1.8.7 P249 Ruby-Lang Ruby 1.8.7 P248 Ruby-Lang Ruby 1.8.7 P22 Ruby-Lang Ruby 1.8.7 P174 Ruby-Lang Ruby 1.8.7 P173 Ruby-Lang Ruby 1.8.7 P17 Ruby-Lang Ruby 1.8.7 P160 Ruby-Lang Ruby 1.8.7 Ruby-Lang Ruby 1.8.6-26 Ruby-Lang Ruby 1.8.6 Ruby-Lang Ruby 1.8 Redhat Subscription Asset Manager 1.0.0 |
| Not Vulnerable: |
Ruby-Lang Ruby 2.5.1 Ruby-Lang Ruby 2.4.4 Ruby-Lang Ruby 2.3.7 Ruby-Lang Ruby 2.2.10 |
Discussion
Ruby CVE-2018-8780 Directory Traversal Vulnerability
Ruby is prone to a directory-traversal vulnerability.
Remote attackers may use a specially crafted request with directory-traversal sequences ('../') to retrieve sensitive information. This may aid in further attacks.
Ruby prior to 2.2.10, 2.3.x prior to 2.3.7, 2.4.x prior to 2.4.4, 2.5.x prior to 2.5.1, and 2.6.0-preview1 are vulnerable.
Ruby is prone to a directory-traversal vulnerability.
Remote attackers may use a specially crafted request with directory-traversal sequences ('../') to retrieve sensitive information. This may aid in further attacks.
Ruby prior to 2.2.10, 2.3.x prior to 2.3.7, 2.4.x prior to 2.4.4, 2.5.x prior to 2.5.1, and 2.6.0-preview1 are vulnerable.
Exploit / POC
Ruby CVE-2018-8780 Directory Traversal Vulnerability
Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
Ruby CVE-2018-8780 Directory Traversal Vulnerability
References:
References: