Philr

**Name of the Vulnerable Software and Affected Versions** TZInfo versions prior to 0.3.61 TZInfo versions 1.0.0 to 1.2.9 when used with the Ruby data source TZInfo version 0.3.60 and earlier **Description** The issue is related to relative path traversal in the TZInfo Ruby library, which provides access to time zone data. The library fails to validate time zone identifiers correctly, allowing a new line character within the identifier. This can lead to unintended files being loaded with `require` and executed within the Ruby process. The vulnerability can be exploited in applications that allow file uploads and have a time zone selector that accepts arbitrary time zone identifiers. **Recommendations** For versions prior to 0.3.61, update to version 0.3.61 or later. For versions 1.0.0 to 1.2.9 when used with the Ruby data source, update to version 1.2.10 or later. As a temporary workaround, validate the time zone identifier before passing it to `TZInfo::Timezone.get` by ensuring it matches the regular expression `A[A-Za-z0-9+- ]+(?:/[A-Za-z0-9+- ]+)*z`. Ensure that untrusted files are not placed in a directory on the load path to prevent arbitrary file loading.