/
CVE-2020-8161.yml
33 lines (28 loc) · 1002 Bytes
/
CVE-2020-8161.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
---
gem: rack
cve: 2020-8161
ghsa: 5f9h-9pjv-v6j7
url: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA
title: Directory traversal in Rack::Directory app bundled with Rack
date: 2020-05-12
description: |
There was a possible directory traversal vulnerability in the Rack::Directory app
that is bundled with Rack.
Versions Affected: rack < 2.2.0
Not affected: Applications that do not use Rack::Directory.
Fixed Versions: 2.1.3, >= 2.2.0
Impact
------
If certain directories exist in a director that is managed by
`Rack::Directory`, an attacker could, using this vulnerability, read the
contents of files on the server that were outside of the root specified in the
Rack::Directory initializer.
Workarounds
-----------
Until such time as the patch is applied or their Rack version is upgraded,
we recommend that developers do not use Rack::Directory in their
applications.
cvss_v3: 8.6
patched_versions:
- "~> 2.1.3"
- ">= 2.2.0"