ADVISORIES
GEM
SEVERITY
CVSS v3.x: 7.5 (High)
CVSS v2.0: 5.0 (Medium)
PATCHED VERSIONS
- >= 0.9.11
DESCRIPTION
lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block relative paths with an initial ../ sequence, which allows attackers to conduct directory traversal attacks and read arbitrary files.