Skip to content

ruby_parser allows local users to overwrite arbitrary files via symlink attack on temporary file with predictable name

Low severity GitHub Reviewed Published May 5, 2022 to the GitHub Advisory Database • Updated Aug 16, 2023

Package

bundler ruby_parser (RubyGems)

Affected versions

>= 2.0.2, < 3.1.2

Patched versions

3.1.2

Description

The diff_pp function in lib/gauntlet_rubyparser.rb in the ruby_parser gem 3.1.1 and earlier for Ruby allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a predictable name in /tmp.

References

Published by the National Vulnerability Database Mar 1, 2013
Published to the GitHub Advisory Database May 5, 2022
Reviewed Mar 8, 2023
Last updated Aug 16, 2023

Severity

Low

EPSS score

0.042%
(5th percentile)

Weaknesses

CVE ID

CVE-2013-0162

GHSA ID

GHSA-8mvw-22r7-w6fq

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.