Affecting yard gem, versions < 0.9.11
yard is a documentation generation tool for the Ruby programming language.
Affected versions of this packafge are vulnerable to Directory Traversal.
lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block relative paths with an initial ../ sequence, which allows attackers to conduct directory traversal attacks and read arbitrary files.
Do your applications use this vulnerable package?
- Snyk ID
- 23 Nov, 2017
- 25 Dec, 2017