CVE-2019-1020001
yard Critical
File Access
Discovered over 1 year ago
Published over 2 years ago
Category: File Access
Source: GitHub
Severity: Critical

A path traversal vulnerability was discovered in YARD <= 0.9.19 when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions.

The issue is resolved in v0.9.20 and later.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 0.9.20

Unaffected Versions

n/a

References

n/a

CVE-2009-4123
jruby-openssl Severe
SSL Verification Bypass
Discovered over 1 year ago
Published almost 12 years ago
Category: SSL Verification Bypass
Source: jruby.org
Severity: Severe

A security problem involving peer certificate verification was found where failed verification silently did nothing, making affected applications vulnerable to attackers. Attackers could lead a client application to believe that a secure connection to a rogue SSL server is legitimate. Attackers could also penetrate client-validated SSL server applications with a dummy certificate.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 0.6

Unaffected Versions

n/a

References

n/a

CVE-2017-17042
yard Severe
File Access
Discovered over 1 year ago
Published almost 4 years ago
Category: File Access
Source: NIST NVD
Severity: Severe

lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block relative paths with an initial ../ sequence, which allows attackers to conduct directory traversal attacks and read arbitrary files.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 0.9.11

Unaffected Versions

n/a

References

n/a