CVE-2017-5946: Directory Traversal in Rubyzip
Severity
High
Vendor
Rubyzip
Versions Affected
- All Rubyzip versions prior to 1.2.1
Description
The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a directory traversal vulnerability. If a site allows uploading of .zip files, an attacker can upload a malicious file that uses "../" pathname substrings to write arbitrary files to the filesystem.
Affected VMware Products and Versions
Severity is high unless otherwise noted.
- PCF Operations Manager:
- 1.6.x versions prior to 1.6.30
- 1.7.x versions prior to 1.7.24
- 1.8.x versions prior to 1.8.16
- 1.9.x versions prior to 1.9.6
- Please note: PCF Operations Manager 1.10.x and 1.11.x versions are not affected.
Mitigation
Users of affected versions should apply the following mitigation:
- Releases that have fixed this issue include:
- PCF Operations Manager: 1.6.30, 1.7.24, 1.8.16, 1.9.6