Login Sign Up

CVE-2021-28966

7.5 HIGH
Path Traversal

📋 TL;DR

This vulnerability allows remote attackers to write arbitrary files to the Windows temporary directory by submitting crafted paths when a Ruby web application processes parameters with TmpDir. It affects Ruby applications running on Windows servers that handle user input. Attackers can potentially achieve remote code execution or data manipulation.

💻 Affected Systems

Products:
  • Ruby
  • Ruby on Rails applications
  • Other Ruby web frameworks
Versions: Ruby versions up to and including 3.0
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Windows systems. Applications must use TmpDir parameter handling with user-controlled input.

📦 What is this software?

Ruby by Ruby Lang

View all CVEs affecting Ruby →

Ruby by Ruby Lang

View all CVEs affecting Ruby →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, or ransomware deployment.

🟠

Likely Case

Arbitrary file write allowing attackers to plant malicious files, modify application behavior, or achieve limited code execution.

🟢

If Mitigated

File write limited to temporary directory with proper input validation and file permission restrictions.

🌐 Internet-Facing: HIGH - Web applications accepting user input are directly exposed to remote exploitation.
🏢 Internal Only: MEDIUM - Internal applications could be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires web application to process user input with TmpDir. Public HackerOne report demonstrates the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Ruby 3.0.1 and later

Vendor Advisory: https://www.ruby-lang.org/en/news/2021/03/31/ruby-3-0-1-released/

Restart Required: Yes

Instructions:

1. Update Ruby to version 3.0.1 or later. 2. Restart all Ruby applications and services. 3. Verify the patch is applied by checking Ruby version.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation for all parameters that could be passed to TmpDir functions.

Application-level file path restrictions

all

Implement application logic to restrict file operations to specific directories and validate all file paths.

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block suspicious path patterns in requests.
  • Restrict file system permissions for Ruby application user to minimize impact of arbitrary file writes.

🔍 How to Verify

Check if Vulnerable:

Check if Ruby version is 3.0.0 or earlier on Windows and application uses TmpDir with user input.

Check Version:

ruby -v

Verify Fix Applied:

Verify Ruby version is 3.0.1 or later using 'ruby -v' command.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file write operations in temporary directories
  • Suspicious path patterns in web application logs

Network Indicators:

  • HTTP requests containing crafted path parameters targeting TmpDir endpoints

SIEM Query:

source="web_logs" AND (path:*..* OR path:*:* OR path:*\\*) AND endpoint="*tmp*"

📊 Metadata

CVE ID: CVE-2021-28966
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-22
Published: July 30, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28966, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)