3 matches found
CVE-2026-49342 YARD static cache reads raw traversal paths before router sanitization
YARD is a documentation generation tool for the Ruby programming language. Prior to version 0.9.44, YARD's static cache lookup reads a request path before the router's path cleanup runs. When a server is configured with a document root, a traversal path such as /../yard-cache-secret.html is joine...
CVE-2022-47715
In Last Yard 22.09.8-1, the cookie can be stolen via via unencrypted traffic...
DEBIAN-CVE-2017-17042
lib/yard/coreext/file.rb in the server in YARD before 0.9.11 does not block relative paths with an initial ../ sequence, which allows attackers to conduct directory traversal attacks and read arbitrary files...