github - ghsa-xfhh-rx56-rxcr

GHSA-XFHH-RX56-RXCR

Vulnerability from github – Published: 2019-07-02 15:28 – Updated: 2024-03-07 00:30

Summary

Path Traversal vulnerability that affects yard

Details

Possible arbitrary path traversal and file access via `yard server`

Impact

A path traversal vulnerability was discovered in YARD <= 0.9.19 when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions.

Thanks to CuongMX from Viettel Cyber Security for discovering this vulnerability.

Patches

Please upgrade to YARD v0.9.20 immediately if you are relying on yard server to host documentation in any untrusted environments.

Workarounds

For users who cannot upgrade, it is possible to perform path sanitization of HTTP requests at your webserver level. WEBrick, for example, can perform such sanitization by default (which you can use via yard server -s webrick), as can certain rules in your webserver configuration.

Severity ?

7.5 (High)


                  
                    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "yard"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-1020001"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T22:03:08Z",
    "nvd_published_at": "2019-07-29T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "## Possible arbitrary path traversal and file access via `yard server`\n\n### Impact\n\nA path traversal vulnerability was discovered in YARD \u003c= 0.9.19 when using `yard server` to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions.\n\nThanks to CuongMX from Viettel Cyber Security for discovering this vulnerability.\n\n### Patches\n\nPlease upgrade to YARD v0.9.20 immediately if you are relying on yard server to host documentation in any untrusted environments.\n\n### Workarounds\n\nFor users who cannot upgrade, it is possible to perform path sanitization of HTTP requests at your webserver level. WEBrick, for example, can perform such sanitization by default (which you can use via `yard server -s webrick`), as can certain rules in your webserver configuration.",
  "id": "GHSA-xfhh-rx56-rxcr",
  "modified": "2024-03-07T00:30:48Z",
  "published": "2019-07-02T15:28:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1020001"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-xfhh-rx56-rxcr"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00006.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Path Traversal vulnerability that affects yard"
}

GSD-2019-1020001

Vulnerability from gsd - Updated: 2019-07-02 00:00

Details

A path traversal vulnerability was discovered in YARD <= 0.9.19 when using `yard server` to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions. The issue is resolved in v0.9.20 and later.

Aliases

CVE-2019-1020001

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-1020001",
    "description": "yard before 0.9.20 allows path traversal.",
    "id": "GSD-2019-1020001",
    "references": [
      "https://www.suse.com/security/cve/CVE-2019-1020001.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "yard",
            "purl": "pkg:gem/yard"
          }
        }
      ],
      "aliases": [
        "CVE-2019-1020001",
        "GHSA-xfhh-rx56-rxcr"
      ],
      "details": "A path traversal vulnerability was discovered in YARD \u003c= 0.9.19 when using\n`yard server` to serve documentation. This bug would allow unsanitized HTTP\nrequests to access arbitrary files on the machine of a yard server host under\ncertain conditions.\n\nThe issue is resolved in v0.9.20 and later.\n",
      "id": "GSD-2019-1020001",
      "modified": "2019-07-02T00:00:00.000Z",
      "published": "2019-07-02T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 7.3,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Arbitrary path traversal and file access via `yard server`"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve-assign@distributedweaknessfiling.org",
        "ID": "CVE-2019-1020001",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "yard",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 0.9.20"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "yard"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "yard before 0.9.20 allows path traversal."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "path traversal"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr",
            "refsource": "MISC",
            "url": "https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr"
          },
          {
            "name": "[debian-lts-announce] 20240306 [SECURITY] [DLA 3753-1] yard security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00006.html"
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2019-1020001",
      "cvss_v3": 7.3,
      "date": "2019-07-02",
      "description": "A path traversal vulnerability was discovered in YARD \u003c= 0.9.19 when using\n`yard server` to serve documentation. This bug would allow unsanitized HTTP\nrequests to access arbitrary files on the machine of a yard server host under\ncertain conditions.\n\nThe issue is resolved in v0.9.20 and later.\n",
      "gem": "yard",
      "ghsa": "xfhh-rx56-rxcr",
      "patched_versions": [
        "\u003e= 0.9.20"
      ],
      "title": "Arbitrary path traversal and file access via `yard server`",
      "url": "https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c0.9.20",
          "affected_versions": "All versions before 0.9.20",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-21",
            "CWE-937"
          ],
          "date": "2019-08-01",
          "description": "The yard package is vulnerable to path traversal.",
          "fixed_versions": [
            "0.9.20"
          ],
          "identifier": "CVE-2019-1020001",
          "identifiers": [
            "CVE-2019-1020001",
            "GHSA-xfhh-rx56-rxcr"
          ],
          "not_impacted": "All versions starting from 0.9.20",
          "package_slug": "gem/yard",
          "pubdate": "2019-07-29",
          "solution": "Upgrade to version 0.9.20 or above.",
          "title": "Path Traversal",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-1020001"
          ],
          "uuid": "fe3a13b6-1733-4e7e-9f7d-0dd8c61958a3"
        }
      ]
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:yardoc:yard:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "3E4F0B68-8C43-45F6-A1F1-C931E0BB814F",
                    "versionEndExcluding": "0.9.20",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "yard before 0.9.20 allows path traversal."
          },
          {
            "lang": "es",
            "value": "yard anterior a versi\u00f3n 0.9.20, permite un Salto de Ruta (path)."
          }
        ],
        "id": "CVE-2019-1020001",
        "lastModified": "2024-03-06T23:15:07.103",
        "metrics": {
          "cvssMetricV2": [
            {
              "acInsufInfo": false,
              "baseSeverity": "MEDIUM",
              "cvssData": {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "availabilityImpact": "NONE",
                "baseScore": 5.0,
                "confidentialityImpact": "PARTIAL",
                "integrityImpact": "NONE",
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
                "version": "2.0"
              },
              "exploitabilityScore": 10.0,
              "impactScore": 2.9,
              "obtainAllPrivilege": false,
              "obtainOtherPrivilege": false,
              "obtainUserPrivilege": false,
              "source": "nvd@nist.gov",
              "type": "Primary",
              "userInteractionRequired": false
            }
          ],
          "cvssMetricV30": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.0"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 3.6,
              "source": "nvd@nist.gov",
              "type": "Primary"
            }
          ]
        },
        "published": "2019-07-29T13:15:11.623",
        "references": [
          {
            "source": "josh@bress.net",
            "tags": [
              "Mitigation",
              "Third Party Advisory"
            ],
            "url": "https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr"
          },
          {
            "source": "josh@bress.net",
            "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00006.html"
          }
        ],
        "sourceIdentifier": "josh@bress.net",
        "vulnStatus": "Modified",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-22"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

CVE-2019-1020001 (GCVE-0-2019-1020001)

Vulnerability from cvelistv5 – Published: 2019-07-29 00:00 – Updated: 2024-08-05 03:14

Summary

yard before 0.9.20 allows path traversal.

Severity ?

No CVSS data available.

CWE

path traversal

Assigner

dwf

References

URL

	Vendor	Product	Version
	yard	yard	Affected: < 0.9.20

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted