A component of the rubygem-yard library (lib/yard/core_ext/file.rb) that is used by the yard document generation server does not block relative paths with an initial ../ sequence, which allows attackers to conduct directory traversal attacks and read arbitrary files. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-17042 https://bugzilla.novell.com/show_bug.cgi?id=1070263 http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-17042.html http://www.cvedetails.com/cve/CVE-2017-17042/ https://github.com/lsegal/yard/commit/b0217b3e30dc53d057b1682506333335975e62b4
Created rubygem-yard tracking bugs for this issue: Affects: fedora-all [bug 1519068]
Created rubygem-yard tracking bugs for this issue: Affects: openshift-1 [bug 1519596]
Statement: This issue affects the versions of rubygem-yard as shipped with Red Hat Subscription Asset Manager 1.x and Message Routing and Grid 2.x. Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.