Ruby CVE-2018-8780 Directory Traversal Vulnerability

BID:103739

CVE-2018-8780 |

Info

Ruby CVE-2018-8780 Directory Traversal Vulnerability

Bugtraq ID: 103739
Class: Input Validation Error
CVE: CVE-2018-8780
Remote: Yes
Local: No
Published: Mar 28 2018 12:00AM
Updated: Mar 28 2018 12:00AM
Credit: ooooooo_q
Vulnerable: Ruby-Lang Ruby 2.4.3
Ruby-Lang Ruby 2.4.2
Ruby-Lang Ruby 2.4.1
Ruby-Lang Ruby 2.3.6
Ruby-Lang Ruby 2.3.5
Ruby-Lang Ruby 2.3.4
Ruby-Lang Ruby 2.3
Ruby-Lang Ruby 2.2.9
Ruby-Lang Ruby 2.2.8
Ruby-Lang Ruby 2.2.7
Ruby-Lang Ruby 2.2
Ruby-Lang Ruby 2.1.4
Ruby-Lang Ruby 2.1.3
Ruby-Lang Ruby 2.1.2
Ruby-Lang Ruby 2.0 rc2
Ruby-Lang Ruby 1.9
Ruby-Lang Ruby 1.8.7 p72
Ruby-Lang Ruby 1.8.7 p71
Ruby-Lang Ruby 1.8.5
Ruby-Lang Ruby 2.6.0-preview1
Ruby-Lang Ruby 2.5.0
Ruby-Lang Ruby 2.4.0
Ruby-Lang Ruby 2.2.2
Ruby-Lang Ruby 2.1.6
Ruby-Lang Ruby 2.1.5
Ruby-Lang Ruby 2.1.2p168
Ruby-Lang Ruby 2.1.1
Ruby-Lang Ruby 2.1 Preview1
Ruby-Lang Ruby 2.1 -
Ruby-Lang Ruby 2.0.0-p594
Ruby-Lang Ruby 2.0.0 RC1
Ruby-Lang Ruby 2.0.0 Preview2
Ruby-Lang Ruby 2.0.0 Preview1
Ruby-Lang Ruby 2.0.0 patchlevel 645
Ruby-Lang Ruby 2.0.0 P598
Ruby-Lang Ruby 2.0.0 P247
Ruby-Lang Ruby 2.0.0 P195
Ruby-Lang Ruby 2.0.0 P0
Ruby-Lang Ruby 2.0.0
Ruby-Lang Ruby 1.9.3-p550
Ruby-Lang Ruby 1.9.3 P551
Ruby-Lang Ruby 1.9.3 P429
Ruby-Lang Ruby 1.9.3 P426
Ruby-Lang Ruby 1.9.3 P392
Ruby-Lang Ruby 1.9.3 P385
Ruby-Lang Ruby 1.9.3 P383
Ruby-Lang Ruby 1.9.3 P286
Ruby-Lang Ruby 1.9.3 P194
Ruby-Lang Ruby 1.9.3 P125
Ruby-Lang Ruby 1.9.3 P0
Ruby-Lang Ruby 1.9.3
Ruby-Lang Ruby 1.9.2-p330
Ruby-Lang Ruby 1.9.2
Ruby-Lang Ruby 1.9.1
Ruby-Lang Ruby 1.9
Ruby-Lang Ruby 1.8.7 Preview4
Ruby-Lang Ruby 1.8.7 Preview3
Ruby-Lang Ruby 1.8.7 Preview2
Ruby-Lang Ruby 1.8.7 Preview1
Ruby-Lang Ruby 1.8.7 P374
Ruby-Lang Ruby 1.8.7 P373
Ruby-Lang Ruby 1.8.7 P371
Ruby-Lang Ruby 1.8.7 P370
Ruby-Lang Ruby 1.8.7 P358
Ruby-Lang Ruby 1.8.7 P357
Ruby-Lang Ruby 1.8.7 P352
Ruby-Lang Ruby 1.8.7 P334
Ruby-Lang Ruby 1.8.7 P330
Ruby-Lang Ruby 1.8.7 P302
Ruby-Lang Ruby 1.8.7 P301
Ruby-Lang Ruby 1.8.7 P299
Ruby-Lang Ruby 1.8.7 P249
Ruby-Lang Ruby 1.8.7 P248
Ruby-Lang Ruby 1.8.7 P22
Ruby-Lang Ruby 1.8.7 P174
Ruby-Lang Ruby 1.8.7 P173
Ruby-Lang Ruby 1.8.7 P17
Ruby-Lang Ruby 1.8.7 P160
Ruby-Lang Ruby 1.8.7
Ruby-Lang Ruby 1.8.6-26
Ruby-Lang Ruby 1.8.6
Ruby-Lang Ruby 1.8
Redhat Subscription Asset Manager 1.0.0
Not Vulnerable: Ruby-Lang Ruby 2.5.1
Ruby-Lang Ruby 2.4.4
Ruby-Lang Ruby 2.3.7
Ruby-Lang Ruby 2.2.10

Discussion

Ruby CVE-2018-8780 Directory Traversal Vulnerability

Ruby is prone to a directory-traversal vulnerability.

Remote attackers may use a specially crafted request with directory-traversal sequences ('../') to retrieve sensitive information. This may aid in further attacks.

Ruby prior to 2.2.10, 2.3.x prior to 2.3.7, 2.4.x prior to 2.4.4, 2.5.x prior to 2.5.1, and 2.6.0-preview1 are vulnerable.

Exploit / POC

Ruby CVE-2018-8780 Directory Traversal Vulnerability

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

References

© CVE.report 2026

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report