8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
5.1 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
38.0%
tzinfo is vulnerable to Directory Traversal. Whilte Time zone files are loaded with require
on demand, it fails to properly validate the time zone identifiers with correct regular expressions, causing a new line character in the identifier. Therefore, an attacker can use TZInfo::Timezone.get
to load malicious files and execute within the Ruby process.
github.com/tzinfo/tzinfo/commit/9905ca93abf7bf3e387bd592406e403cd18334c7
github.com/tzinfo/tzinfo/commit/9eddbb5c0e682736f61d0dd803b6031a5db9eadf
github.com/tzinfo/tzinfo/commit/ca29f349856d62cb2b2edb3257d9ddd2f97b3c27
github.com/tzinfo/tzinfo/commit/e30354536fd786bcc8cab4d83c0887c53e3a96bd
github.com/tzinfo/tzinfo/releases/tag/v0.3.61
github.com/tzinfo/tzinfo/releases/tag/v1.2.10
github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx
lists.debian.org/debian-lts-announce/2022/08/msg00009.html
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
5.1 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
38.0%