The Zip::File component in the rubyzip gem for Ruby has a directory traversal vulnerability. If a site allows uploading of .zip files, an attacker can upload a malicious file that uses "../" pathname substrings to write arbitrary files to the filesystem. Upstream bug: https://github.com/rubyzip/rubyzip/issues/315 Upstream patch: https://github.com/rubyzip/rubyzip/commit/ce4208fdecc2ad079b05d3c49d70fe6ed1d07016
Created rubygem-rubyzip tracking bugs for this issue: Affects: fedora-all [bug 1427939]
Statement: This issue affects the versions of rubygem-rubyzip as shipped with Red Hat Quick Cloud Installer. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.