Description
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the Dir.open, Dir.new, Dir.entries and Dir.empty? methods do not check NULL characters. When using the corresponding method, unintentional directory traversal may be performed.
Remediation
References
Related Vulnerabilities
WordPress Plugin Tapfiliate Cross-Site Scripting (3.0.12)
WordPress 4.9.x Multiple Vulnerabilities (4.9 - 4.9.12)
PostgreSQL Permissions, Privileges, and Access Controls Vulnerability (CVE-2014-0061)
MySQL Other Vulnerability (CVE-2002-1921)
Jenkins Permissions, Privileges, and Access Controls Vulnerability (CVE-2014-3665)