Closed mend-bolt-for-github[bot] closed 4 years ago
Jekyll is a simple, blog aware, static site generator.
Library home page: https://rubygems.org/gems/jekyll-3.6.2.gem
Dependency Hierarchy: - jekyll-feed-0.9.2.gem (Root Library) - :x: **jekyll-3.6.2.gem** (Vulnerable Library)
Found in HEAD commit: ddcd306c9a58bfb9018745924934d0fcd1158595
Found in base branch: master
Jekyll through 3.6.2, 3.7.x through 3.7.3, and 3.8.x through 3.8.3 allows attackers to access arbitrary files by specifying a symlink in the "include" key in the "_config.yml" file.
Publish Date: 2018-09-28
URL: CVE-2018-17567
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17567
Release Date: 2018-09-28
Fix Resolution: v3.7.4,v3.8.4
Step up your Open Source Security Game with WhiteSource here
CVE-2018-17567 - High Severity Vulnerability
Vulnerable Library - jekyll-3.6.2.gem
Jekyll is a simple, blog aware, static site generator.
Library home page: https://rubygems.org/gems/jekyll-3.6.2.gem
Dependency Hierarchy: - jekyll-feed-0.9.2.gem (Root Library) - :x: **jekyll-3.6.2.gem** (Vulnerable Library)
Found in HEAD commit: ddcd306c9a58bfb9018745924934d0fcd1158595
Found in base branch: master
Vulnerability Details
Jekyll through 3.6.2, 3.7.x through 3.7.3, and 3.8.x through 3.8.3 allows attackers to access arbitrary files by specifying a symlink in the "include" key in the "_config.yml" file.
Publish Date: 2018-09-28
URL: CVE-2018-17567
CVSS 3 Score Details (7.5)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17567
Release Date: 2018-09-28
Fix Resolution: v3.7.4,v3.8.4
Step up your Open Source Security Game with WhiteSource here