CVE-2018-8780

Name of the Vulnerable Software and Affected Versions Ruby versions prior to 2.2.10 Ruby versions 2.3.x prior to 2.3.7 Ruby versions 2.4.x prior to 2.4.4 Ruby versions 2.5.x prior to 2.5.1 Ruby version 2.6.0-preview1

Description The issue arises from the Dir.open, Dir.new, Dir.entries, and Dir.empty? methods not checking for NULL characters, potentially leading to unintentional directory traversal. This could allow a remote attacker to gain unauthorized access to protected data or impact the integrity of protected information.

Recommendations For Ruby versions prior to 2.2.10, update to version 2.2.10 or later. For Ruby versions 2.3.x prior to 2.3.7, update to version 2.3.7 or later. For Ruby versions 2.4.x prior to 2.4.4, update to version 2.4.4 or later. For Ruby versions 2.5.x prior to 2.5.1, update to version 2.5.1 or later. For Ruby version 2.6.0-preview1, update to a later version. As a temporary workaround, consider restricting access to the Dir.open, Dir.new, Dir.entries, and Dir.empty? methods until a patch is available.