SB2022103147 - Path traversal in TZInfo
Published: October 31, 2022
Security Bulletin ID
SB2022103147
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Path traversal (CVE-ID: CVE-2022-31163)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing a new line character in the TZInfo::Timezone.get. With Ruby version 1.9.3 and later, TZInfo::Timezone.get can be made to load unintended files with require, executing them within the Ruby process. A remote attacker can pass specially crafted input to the application and execute arbitrary code on the system.
Exploitation example:
TZInfo::Timezone.get("foo\n/../../../../../../../../../../../../../../../../tmp/payload")
Remediation
Install update from vendor's website.
References
- https://github.com/tzinfo/tzinfo/releases/tag/v0.3.61
- https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx
- https://github.com/tzinfo/tzinfo/releases/tag/v1.2.10
- https://github.com/tzinfo/tzinfo/commit/9eddbb5c0e682736f61d0dd803b6031a5db9eadf
- https://github.com/tzinfo/tzinfo/commit/9905ca93abf7bf3e387bd592406e403cd18334c7