CVE-2021-28966
In Ruby through 3.0 on Windows, a remote attacker can submit a crafted path when a Web application handles a parameter with TmpDir.
| Software | From | Fixed in |
|---|---|---|
| ruby-lang / ruby | - | 2.7.3 |
| ruby-lang / ruby | 3.0.0 | 3.0.1 |
tmpdir
|
- | 0.1.2 |
- https://github.com/ruby/tmpdir/commit/93798c01cb7c10476e50a4d80130a329ba47f348
- https://github.com/ruby/tmpdir/pull/8
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/tmpdir/CVE-2021-28966.yml
- https://hackerone.com/reports/1131465
- https://rubygems.org/gems/tmpdir
- https://security.netapp.com/advisory/ntap-20210902-0004/
- https://www.ruby-lang.org/en/news/2021/04/05/tempfile-path-traversal-on-windows-cve-2021-28966/
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime