rubyzip is vulnerable to directory traversal attacks. A malicious user can pass zip file containing files with the /
character or a zip file with a symlink to cause a directory traversal. This is related to CVE-2017-5946.
access.redhat.com/errata/RHSA-2018:3466
github.com/rubyzip/rubyzip/compare/e89f6aca440b36f90a961a8c5274c12fcacd9a19...8e78311d670ba70476fb46062c988849a82d1e02
github.com/rubyzip/rubyzip/issues/369
github.com/rubyzip/rubyzip/pull/371
lists.debian.org/debian-lts-announce/2018/08/msg00013.html
lists.debian.org/debian-lts-announce/2020/08/msg00002.html
www.sourceclear.com/vulnerability-database/security/directory-traversal/ruby/sid-3572/