Description
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6.
Remediation
References
Related Vulnerabilities
IBM RTC Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2017-1753)
MySQL CVE-2021-35624 Vulnerability (CVE-2021-35624)
WordPress Plugin GiveWP-Donation and Fundraising Platform Cross-Site Scripting (2.10.3)
WordPress Plugin iThemes Security (formerly Better WP Security) Cross-Site Scripting (5.3.4)
Jboss EAP Observable Discrepancy Vulnerability (CVE-2022-3143)