{ "schema_version": "1.4.0", "id": "GHSA-46f2-3v63-3xrp", "modified": "2022-08-15T20:01:42Z", "published": "2021-05-06T15:01:36Z", "aliases": [ "CVE-2021-28966" ], "summary": "Tempfile on Windows path traversal vulnerability", "details": "There is an unintentional directory creation vulnerability in `tmpdir` library bundled with Ruby on Windows. And there is also an unintentional file creation vulnerability in tempfile library bundled with Ruby on Windows, because it uses tmpdir internally. \n", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "affected": [ { "package": { "ecosystem": "RubyGems", "name": "tmpdir" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "0.1.2" } ] } ] } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28966" }, { "type": "WEB", "url": "https://github.com/ruby/tmpdir/pull/8" }, { "type": "WEB", "url": "https://github.com/ruby/tmpdir/commit/93798c01cb7c10476e50a4d80130a329ba47f348" }, { "type": "WEB", "url": "https://hackerone.com/reports/1131465" }, { "type": "PACKAGE", "url": "https://github.com/ruby/tmpdir" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/tmpdir/CVE-2021-28966.yml" }, { "type": "WEB", "url": "https://rubygems.org/gems/tmpdir" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210902-0004" }, { "type": "WEB", "url": "https://www.ruby-lang.org/en/news/2021/04/05/tempfile-path-traversal-on-windows-cve-2021-28966" } ], "database_specific": { "cwe_ids": [ "CWE-22" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2021-05-06T15:01:12Z", "nvd_published_at": "2021-07-30T14:15:00Z" } }