Launchpad CVE tracker

CVE 2018-8780

In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the Dir.open, Dir.new, Dir.entries and Dir.empty? methods do not check NULL characters. When using the corresponding method, unintentional directory traversal may be performed.

Related bugs and status

CVE-2018-8780 (Candidate) is related to these bugs:

Bug #1849203: CVE-2018-8780: ruby: Unintentional directory traversal by poisoned NULL byte in Dir

Summary				In	Importance	Status
	1849203	CVE-2018-8780: ruby: Unintentional directory traversal by poisoned NULL byte in Dir		StarlingX	High	Fix Released

See the

CVE page on Mitre.org for more details.

References

CONFIRM: https://www.ruby-lang....
CONFIRM: https://www.ruby-lang....
CONFIRM: https://www.ruby-lang....
CONFIRM: https://www.ruby-lang....
CONFIRM: https://www.ruby-lang....
BID: 103739
UBUNTU: USN-3626-1
MLIST: [debian-lts-announce] ...
MLIST: [debian-lts-announce] ...
MLIST: [debian-lts-announce] ...
DEBIAN: DSA-4259
SECTRACK: 1042004
REDHAT: RHSA-2018:3729
REDHAT: RHSA-2018:3730
REDHAT: RHSA-2018:3731
SUSE: openSUSE-SU-2019:1771
REDHAT: RHSA-2019:2028
REDHAT: RHSA-2020:0542
REDHAT: RHSA-2020:0591
REDHAT: RHSA-2020:0663

Launchpad.net

CVE 2018-8780

Related bugs and status

Related bugs

References