TZInfo prior 0.3.61/1.2.10 TZInfo::Timezone.get path traversal

Summaryinfo

A vulnerability classified as critical has been found in TZInfo. This affects the function TZInfo::Timezone.get. The manipulation leads to path traversal. This vulnerability is listed as CVE-2022-31163. The attack may be initiated remotely. There is no available exploit. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability, which was classified as critical, has been found in TZInfo. This issue affects the function TZInfo::Timezone.get. The manipulation with an unknown input leads to a path traversal vulnerability. Using CWE to declare the problem leads to CWE-23. The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data source tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source, time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with `require` on demand. In the affected versions, `TZInfo::Timezone.get` fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, `TZInfo::Timezone.get` can be made to load unintended files with `require`, executing them within the Ruby process. Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers. Versions 2.0.0 and later are not vulnerable. Version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix of `tzinfo/definition` within a directory in the load path. Applications should ensure that untrusted files are not placed in a directory on the load path. As a workaround, the time zone identifier can be validated before passing to `TZInfo::Timezone.get` by ensuring it matches the regular expression `\A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z`.

The weakness was presented 07/22/2022 as GHSA-5cm2-9h8c-rvfx. The advisory is shared at github.com. The identification of this vulnerability is CVE-2022-31163 since 05/18/2022. It demands that the victim is doing some kind of user interaction. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1006 for this issue.

Upgrading to version 0.3.61 or 1.2.10 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch ca29f349856d62cb2b2edb3257d9ddd2f97b3c27 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Name

• TZInfo

License

• open-source

Website

• Product: https://github.com/tzinfo/tzinfo/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion