PT-2018-14058 · Github · Jekyll

Parkr

Published

2018-09-28

Updated

2019-04-26

CVE-2018-17567

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Jekyll versions 3.6.2 and earlier, 3.7.x through 3.7.3, 3.8.x through 3.8.3

Description The issue allows attackers to access arbitrary files by specifying a symlink in the include key in the config.yml file.

Recommendations For Jekyll versions 3.6.2 and earlier, update to a version later than 3.6.2. For Jekyll versions 3.7.x through 3.7.3, update to a version later than 3.7.3. For Jekyll versions 3.8.x through 3.8.3, update to a version later than 3.8.3. As a temporary workaround, consider restricting access to the config.yml file to minimize the risk of exploitation.

Exploit

Fix

Link Following

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-59

Related Identifiers

CVE-2018-17567

DLA-1541-1

GHSA-4XJH-M3QX-49WC

Affected Products

Jekyll

PT-2018-14058 · Github · Jekyll

CVE-2018-17567

Weakness Enumeration

Related Identifiers

Affected Products

References · 15