CVE-2019-1020001

Name of the Vulnerable Software and Affected Versions: yard versions prior to 0.9.20

Description: A path traversal issue was discovered in yard when using yard server to serve documentation, allowing unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions.

Recommendations: For versions prior to 0.9.20, upgrade to YARD v0.9.20 immediately if you are relying on yard server to host documentation in any untrusted environments. As a temporary workaround for users who cannot upgrade, consider performing path sanitization of HTTP requests at your webserver level, such as using WEBrick via yard server -s webrick, or applying certain rules in your webserver configuration to minimize the risk of exploitation.