Headline
GHSA-5cm2-9h8c-rvfx: TZInfo relative path traversal vulnerability allows loading of arbitrary files
Impact
Affected versions
- 0.3.60 and earlier.
- 1.0.0 to 1.2.9 when used with the Ruby data source (tzinfo-data).
Vulnerability
With the Ruby data source (the tzinfo-data gem for tzinfo version 1.0.0 and later and built-in to earlier versions), time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with require
on demand. In the affected versions, TZInfo::Timezone.get
fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, TZInfo::Timezone.get
can be made to load unintended files with require
, executing them within the Ruby process.
For example, with version 1.2.9, you can run the following to load a file with path /tmp/payload.rb
:
TZInfo::Timezone.get("foo\n/../../../../../../../../../../../../../../../../tmp/payload")
The exact number of parent directory traversals needed will vary depending on the location of the tzinfo-data gem.
TZInfo versions 1.2.6 to 1.2.9 can be made to load files from outside of the Ruby load path. Versions up to and including 1.2.5 can only be made to load files from directories within the load path.
This could be exploited in, for example, a Ruby on Rails application using tzinfo version 1.2.9, that allows file uploads and has a time zone selector that accepts arbitrary time zone identifiers. The CVSS score and severity have been set on this basis.
Versions 2.0.0 and later are not vulnerable.
Patches
Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers.
Note that version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix of tzinfo/definition
within a directory in the load path. For example if /tmp/upload
was in the load path, then TZInfo::Timezone.get('foo')
could load a file with path /tmp/upload/tzinfo/definition/foo.rb
. Applications should ensure that untrusted files are not placed in a directory on the load path.
Workarounds
As a workaround, the time zone identifier can be validated before passing to TZInfo::Timezone.get
by ensuring it matches the regular expression \A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z
.
For more information
If you have any questions or comments about this advisory:
- Open an issue in the tzinfo repository.
Impact****Affected versions
- 0.3.60 and earlier.
- 1.0.0 to 1.2.9 when used with the Ruby data source (tzinfo-data).
Vulnerability
With the Ruby data source (the tzinfo-data gem for tzinfo version 1.0.0 and later and built-in to earlier versions), time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with require on demand. In the affected versions, TZInfo::Timezone.get fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, TZInfo::Timezone.get can be made to load unintended files with require, executing them within the Ruby process.
For example, with version 1.2.9, you can run the following to load a file with path /tmp/payload.rb:
TZInfo::Timezone.get(“foo\n/…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/tmp/payload”)
The exact number of parent directory traversals needed will vary depending on the location of the tzinfo-data gem.
TZInfo versions 1.2.6 to 1.2.9 can be made to load files from outside of the Ruby load path. Versions up to and including 1.2.5 can only be made to load files from directories within the load path.
This could be exploited in, for example, a Ruby on Rails application using tzinfo version 1.2.9, that allows file uploads and has a time zone selector that accepts arbitrary time zone identifiers. The CVSS score and severity have been set on this basis.
Versions 2.0.0 and later are not vulnerable.
Patches
Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers.
Note that version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix of tzinfo/definition within a directory in the load path. For example if /tmp/upload was in the load path, then TZInfo::Timezone.get(‘foo’) could load a file with path /tmp/upload/tzinfo/definition/foo.rb. Applications should ensure that untrusted files are not placed in a directory on the load path.
Workarounds
As a workaround, the time zone identifier can be validated before passing to TZInfo::Timezone.get by ensuring it matches the regular expression \A[A-Za-z0-9±]+(?:/[A-Za-z0-9±]+)*\z.
For more information
If you have any questions or comments about this advisory:
- Open an issue in the tzinfo repository.
References
- GHSA-5cm2-9h8c-rvfx
- https://nvd.nist.gov/vuln/detail/CVE-2022-31163
- tzinfo/tzinfo@ca29f34
- https://github.com/tzinfo/tzinfo/releases/tag/v0.3.61
- https://github.com/tzinfo/tzinfo/releases/tag/v1.2.10
Related news
Red Hat Security Advisory 2023-2097-03 - Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool. Issues addressed include code execution, cross site scripting, denial of service, deserialization, improper neutralization, information leakage, and remote shell upload vulnerabilities.
Red Hat Security Advisory 2023-1486-01 - Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Issues addressed include HTTP request smuggling, code execution, and denial of service vulnerabilities.
Updated Satellite 6.11 packages that fix several bugs are now available for Red Hat Satellite.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-30122: rubygem-rack: crafted multipart POST request may cause a DoS * CVE-2022-31163: rubygem-tzinfo: arbitrary code execution
Arvados is an open source platform for managing, processing, and sharing genomic and other large scientific and biomedical data. A remote code execution (RCE) vulnerability in the Arvados Workbench allows authenticated attackers to execute arbitrary code via specially crafted JSON payloads. This exists in all versions up to 2.4.1 and is fixed in 2.4.2. This vulnerability is specific to the Ruby on Rails Workbench application (“Workbench 1”). We do not believe any other Arvados components, including the TypesScript browser-based Workbench application (“Workbench 2”) or API Server, are vulnerable to this attack. For versions of Arvados earlier than 2.4.2: remove the Ruby-based "Workbench 1" app ("apt-get remove arvados-workbench") from your installation as a workaround.
TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data source tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source, time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with `require` on demand. In the affected versions, `TZInfo::Timezone.get` fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, `TZInfo::Timezone.get` can be made to load unintended files with `require`, executing them within the Ruby process. Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers. Versions 2.0.0 and later are not vulnerable. Version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the ...