GitHub Advisory DatabaseGHSA-8MVW-22R7-W6FQruby_parser allows local users to overwrite arbitrary files via symlink attack on temporary file with predictable name
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:L/Au:N/C:N/I:P/A:N
0.0004 Low
EPSS
Percentile
5.2%
The diff_pp function in lib/gauntlet_rubyparser.rb in the ruby_parser gem 3.1.1 and earlier for Ruby allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a predictable name in /tmp.
| CPE | Name | Operator | Version |
|---|---|---|---|
| ruby_parser | ge | 2.0.2 | |
| ruby_parser | lt | 3.1.2 |
References
rhn.redhat.com/errata/RHSA-2013-0544.html
rhn.redhat.com/errata/RHSA-2013-0548.html
access.redhat.com/errata/RHSA-2013:0544
access.redhat.com/errata/RHSA-2013:0582
access.redhat.com/security/cve/CVE-2013-0162
bugzilla.redhat.com/show_bug.cgi?id=892806
github.com/advisories/GHSA-8mvw-22r7-w6fq
github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby_parser/CVE-2013-0162.yml
github.com/seattlerb/ruby_parser/commit/506c7e13cff6f8715385fa8488b621028b4ad280
github.com/seattlerb/ruby_parser/commit/c35acd878d50a8e4ea35933e3fbdc493421d422c
nvd.nist.gov/vuln/detail/CVE-2013-0162
Related
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:L/Au:N/C:N/I:P/A:N
0.0004 Low
EPSS
Percentile
5.2%