First Last Prev Next    This bug is not in your last search results.
Bug 1099280 - (CVE-2018-1000544) VUL-0: CVE-2018-1000544: rubygem-rubyzip: Directory traversal in Zip::File component
(CVE-2018-1000544)
VUL-0: CVE-2018-1000544: rubygem-rubyzip: Directory traversal in Zip::File co...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.0
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/208962/
CVSSv3:RedHat:CVE-2018-1000544:3.3:(...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-06-27 09:40 UTC by Alexander Bergmann
Modified: 2020-04-28 16:15 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2018-06-27 09:40:42 UTC 
rh#1595625

rubyzip gem rubyzip version 1.2.1 and earlier contains a Directory Traversal
vulnerability in Zip::File component that can result in write arbitrary files to
the filesystem. This attack appear to be exploitable via If a site allows
uploading of .zip files , an attacker can upload a malicious file that contains
symlinks or files with absolute pathnames "../" to write arbitrary files to the
filesystem..

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1595625
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000544
https://github.com/rubyzip/rubyzip/issues/369
Comment 2 Wolfgang Frisch 2020-01-16 14:14:19 UTC 
Fixed.
First Last Prev Next    This bug is not in your last search results.