Kratob

**Name of the Vulnerable Software and Affected Versions** TZInfo versions prior to 0.3.61 TZInfo versions 1.0.0 to 1.2.9 when used with the Ruby data source TZInfo version 0.3.60 and earlier **Description** The issue is related to relative path traversal in the TZInfo Ruby library, which provides access to time zone data. The library fails to validate time zone identifiers correctly, allowing a new line character within the identifier. This can lead to unintended files being loaded with `require` and executed within the Ruby process. The vulnerability can be exploited in applications that allow file uploads and have a time zone selector that accepts arbitrary time zone identifiers. **Recommendations** For versions prior to 0.3.61, update to version 0.3.61 or later. For versions 1.0.0 to 1.2.9 when used with the Ruby data source, update to version 1.2.10 or later. As a temporary workaround, validate the time zone identifier before passing it to `TZInfo::Timezone.get` by ensuring it matches the regular expression `A[A-Za-z0-9+- ]+(?:/[A-Za-z0-9+- ]+)*z`. Ensure that untrusted files are not placed in a directory on the load path to prevent arbitrary file loading.

**Name of the Vulnerable Software and Affected Versions** consul ruby gem versions prior to 1.0.3 **Description** The issue is related to Incorrect Access Control in the consul ruby gem. Specifically, when a controller checks multiple powers using `:if` or `:except` conditions, these conditions are applied to all power checks in that controller, leading to skipped power checks and potentially allowing unauthenticated access to certain controller actions. **Recommendations** For consul ruby gem versions prior to 1.0.3, update to version 1.0.3 or later to resolve the issue. As a temporary workaround, consider reviewing and manually validating all power checks in controllers to ensure correct access control until the update can be applied.