CVE-2018-17567

Published: Sep 28, 2018Modified: Nov 21, 2024

7.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Jekyll through 3.6.2, 3.7.x through 3.7.3, and 3.8.x through 3.8.3 allows attackers to access arbitrary files by specifying a symlink in the "include" key in the "_config.yml" file.

Affected (3)

Products: Jekyllrb: Jekyll

Jekyllrb

1 product

Jekyll

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Jekyllrb Jekyll	Up to 3.6.2
Jekyllrb Jekyll	From 3.7.0 to 3.7.3
Jekyllrb Jekyll	From 3.8.0 to 3.8.3

Related CWEs

CWE-59

Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

References (6)

https://github.com/jekyll/jekyll/pull/7224

Source: cve@mitre.org

PatchThird Party Advisory

https://jekyllrb.com/news/2018/09/19/security-fixes-for-3-6-3-7-3-8/

Source: cve@mitre.org

PatchVendor Advisory

https://lists.apache.org/thread.html/71da391f584b2fb301d2df0e491b279d87287e2fb4b11309f04ad984%40%3Ccommits.accumulo.apache.org%3E

Source: cve@mitre.org

https://github.com/jekyll/jekyll/pull/7224

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://jekyllrb.com/news/2018/09/19/security-fixes-for-3-6-3-7-3-8/

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

https://lists.apache.org/thread.html/71da391f584b2fb301d2df0e491b279d87287e2fb4b11309f04ad984%40%3Ccommits.accumulo.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.