#VU68860 Path traversal in Tzinfo - CVE-2022-31163
Published: October 31, 2022
Vulnerability identifier: #VU68860
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2022-31163
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Tzinfo
Tzinfo
Software vendor:
Tzinfo Project
Tzinfo Project
Description
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing a new line character in the TZInfo::Timezone.get. With Ruby version 1.9.3 and later, TZInfo::Timezone.get can be made to load unintended files with require, executing them within the Ruby process. A remote attacker can pass specially crafted input to the application and execute arbitrary code on the system.
Exploitation example:
TZInfo::Timezone.get("foo\n/../../../../../../../../../../../../../../../../tmp/payload")
Remediation
Install update from vendor's website.
External links
- https://github.com/tzinfo/tzinfo/releases/tag/v0.3.61
- https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx
- https://github.com/tzinfo/tzinfo/releases/tag/v1.2.10
- https://github.com/tzinfo/tzinfo/commit/9eddbb5c0e682736f61d0dd803b6031a5db9eadf
- https://github.com/tzinfo/tzinfo/commit/9905ca93abf7bf3e387bd592406e403cd18334c7