CVE-2018-1000544
Description
rubyzip gem rubyzip version 1.2.1 and earlier contains a Directory Traversal vulnerability in Zip::File component that can result in write arbitrary files to the filesystem. This attack appear to be exploitable via If a site allows uploading of .zip files , an attacker can upload a malicious file that contains symlinks or files with absolute pathnames "../" to write arbitrary files to the filesystem..
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Rubyzip gem <=1.2.1 has a directory traversal in Zip::File, allowing arbitrary file writes via malicious ZIP files.
Vulnerability
The rubyzip gem version 1.2.1 and earlier contains a directory traversal vulnerability in the Zip::File component [1][2]. When extracting a specially crafted ZIP archive, the library does not properly sanitize entry names containing absolute paths (e.g., /tmp/file.txt) or path traversal sequences (e.g., ../../file) [3]. This allows an attacker to write arbitrary files to the filesystem [4].
Exploitation
An attacker can exploit this by uploading a malicious ZIP file to a site that accepts ZIP uploads and uses rubyzip to extract archives [1][4]. The crafted archive can contain entries with absolute paths or symlinks pointing outside the extraction directory [3]. For example, a symlink entry like path -> ../../../../tmp followed by a file path/file.txt causes rubyzip to write the file into /tmp [4]. No authentication is required beyond the ability to upload the ZIP file.
Impact
Successful exploitation allows an attacker to write arbitrary files to the filesystem at attacker-controlled locations [1][3]. This can lead to remote code execution if the attacker overwrites critical system files (e.g., cron jobs, config files, or executables) [2][4]. The impact is high, with potential for full system compromise.
Mitigation
The vulnerability is fixed in rubyzip version 1.2.2 and later [1][2]. Users should update to the latest version. Red Hat released RHSA-2018:3466 for affected products [1]. If upgrading is not possible, avoid processing untrusted ZIP files or implement external validation of entry paths. This CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rubyzipRubyGems | < 1.2.2 | 1.2.2 |
Affected products
3- ghsa-coords3 versionspkg:gem/rubyzippkg:rpm/opensuse/ruby3.2-rubygem-rubyzip&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/rubygem-rubyzip&distro=openSUSE%20Tumbleweed
< 1.2.2+ 2 more
- (no CPE)range: < 1.2.2
- (no CPE)range: < 2.3.2-1.11
- (no CPE)range: < 2.3.2-1.15
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- access.redhat.com/errata/RHSA-2018:3466ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-vqcq-mrmw-mcmgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1000544ghsaADVISORY
- github.com/rubysec/ruby-advisory-db/blob/master/gems/rubyzip/CVE-2018-1000544.ymlghsaWEB
- github.com/rubyzip/rubyzip/issues/369ghsax_refsource_MISCWEB
- lists.debian.org/debian-lts-announce/2018/08/msg00013.htmlghsamailing-listx_refsource_MLISTWEB
- lists.debian.org/debian-lts-announce/2020/08/msg00002.htmlghsamailing-listx_refsource_MLISTWEB
News mentions
0No linked articles in our index yet.