{
  "threat_severity" : "Moderate",
  "public_date" : "2017-11-24T00:00:00Z",
  "bugzilla" : {
    "description" : "rubygem-yard: (lib/yard/core_ext/file.rb) is vulnerable to directory traversal attacks",
    "id" : "1519065",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1519065"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-22",
  "details" : [ "lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block relative paths with an initial ../ sequence, which allows attackers to conduct directory traversal attacks and read arbitrary files." ],
  "statement" : "This issue affects the versions of rubygem-yard as shipped with Red Hat Subscription Asset Manager 1.x and Message Routing and Grid 2.x. Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise MRG 2",
    "fix_state" : "Will not fix",
    "package_name" : "rubygem-yard",
    "cpe" : "cpe:/a:redhat:enterprise_mrg:2"
  }, {
    "product_name" : "Red Hat Subscription Asset Manager",
    "fix_state" : "Will not fix",
    "package_name" : "rubygem-yard",
    "cpe" : "cpe:/a:rhel_sam:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2017-17042\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-17042" ],
  "name" : "CVE-2017-17042",
  "csaw" : false
}