Vulnerability Note VU#404515
Ruby WEBrick vulnerable to directory traversal
Ruby WEBrick is vulnerable to a directory traversal on systems that support backslash (\) path separators. This vulnerability may allow an attacker to access arbitrary files outside of the web server root directory.
WEBrick is a Ruby library program to build HTTP servers. WEBrick contains a directory traversal vulnerability in systems that accept backslash (\) as a path separator. A remote attacker may be able to exploit this vulnerability by using encoded backslash sequences (..%5c). For more information please see "File access vulnerability of WEBrick."
A remote attacker could gain access to arbitrary files outside of the web server root directory.
Apply an Update
Ruby has released version 1.8.5-p115 and 1.8.6-p114 for the 1.8 series. For the 1.9 series, apply the patch referenced in "File access vulnerability of WEBrick."
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Ruby||Affected||-||04 Apr 2008|
CVSS Metrics (Learn More)
Thanks to Alexandr Polyakov for reporting this vulnerability.
This document was written by John Hollenberger.
- CVE IDs: CVE-2008-1145
- Date Public: 06 Mar 2008
- Date First Published: 14 Apr 2008
- Date Last Updated: 14 Apr 2008
- Severity Metric: 12.83
- Document Revision: 9
If you have feedback, comments, or additional information about this vulnerability, please send us email.