CVE-2022-31163

Name of the Vulnerable Software and Affected Versions TZInfo versions prior to 0.3.61 TZInfo versions 1.0.0 to 1.2.9 when used with the Ruby data source TZInfo version 0.3.60 and earlier

Description The issue is related to relative path traversal in the TZInfo Ruby library, which provides access to time zone data. The library fails to validate time zone identifiers correctly, allowing a new line character within the identifier. This can lead to unintended files being loaded with require and executed within the Ruby process. The vulnerability can be exploited in applications that allow file uploads and have a time zone selector that accepts arbitrary time zone identifiers.

Recommendations For versions prior to 0.3.61, update to version 0.3.61 or later. For versions 1.0.0 to 1.2.9 when used with the Ruby data source, update to version 1.2.10 or later. As a temporary workaround, validate the time zone identifier before passing it to TZInfo::Timezone.get by ensuring it matches the regular expression A[A-Za-z0-9+- ]+(?:/[A-Za-z0-9+- ]+)*z. Ensure that untrusted files are not placed in a directory on the load path to prevent arbitrary file loading.