CVE-2021-28966: Path traversal in Tempfile on Windows

There is an unintentional directory creation vulnerability in tmpdir library bundled with Ruby on Windows. And there is also an unintentional file creation vulnerability in tempfile library bundled with Ruby on Windows, because it uses tmpdir internally. This vulnerability has been assigned the CVE identifier CVE-2021-28966.

Details

Dir.mktmpdir method introduced by tmpdir library accepts the prefix and the suffix of the directory which is created as the first parameter. The prefix can contain relative directory specifiers "..\\", so this method can be used to target any directory. So, if a script accepts an external input as the prefix, and the targeted directory has inappropriate permissions or the ruby process has inappropriate privileges, the attacker can create a directory or a file at any directory.

This is the same issue as CVE-2018-6914, but the previous fix was incomplete on Windows.

All users running an affected release should upgrade immediately.

Affected versions

  • Ruby 2.7.2 or prior
  • Ruby 3.0.0

Credits

Thanks to Bugdiscloseguys for discovering this issue.

History

  • Originally published at 2021-04-05 12:00:00 (UTC)