{ "schema_version": "1.4.0", "id": "GHSA-4xjh-m3qx-49wc", "modified": "2023-09-05T21:41:33Z", "published": "2018-09-28T19:29:07Z", "aliases": [ "CVE-2018-17567" ], "summary": "Jekyll allows attackers to access arbitrary files by specifying a symlink", "details": "Jekyll through 3.6.2, 3.7.x through 3.7.3, and 3.8.x through 3.8.3 allows attackers to access arbitrary files by specifying a symlink in the `include` key in the `_config.yml` file.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "affected": [ { "package": { "ecosystem": "RubyGems", "name": "jekyll" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.6.3" } ] } ] }, { "package": { "ecosystem": "RubyGems", "name": "jekyll" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.7.0" }, { "fixed": "3.7.4" } ] } ] }, { "package": { "ecosystem": "RubyGems", "name": "jekyll" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.8.0" }, { "fixed": "3.8.4" } ] } ] } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17567" }, { "type": "WEB", "url": "https://github.com/jekyll/jekyll/pull/7224" }, { "type": "PACKAGE", "url": "https://github.com/jekyll/jekyll" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jekyll/CVE-2018-17567.yml" }, { "type": "WEB", "url": "https://jekyllrb.com/news/2018/09/19/security-fixes-for-3-6-3-7-3-8" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/71da391f584b2fb301d2df0e491b279d87287e2fb4b11309f04ad984@%3Ccommits.accumulo.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-59" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2020-06-16T20:59:43Z", "nvd_published_at": null } }