CVE-2022-31163 – TZInfo relative path traversal vulnerability allows loading of arbitrary files

https://notcve.org/view.php?id=CVE-2022-31163

TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data source tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source, time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with `require` on demand. • https://github.com/tzinfo/tzinfo/commit/9905ca93abf7bf3e387bd592406e403cd18334c7 https://github.com/tzinfo/tzinfo/commit/9eddbb5c0e682736f61d0dd803b6031a5db9eadf https://github.com/tzinfo/tzinfo/releases/tag/v0.3.61 https://github.com/tzinfo/tzinfo/releases/tag/v1.2.10 https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx https://lists.debian.org/debian-lts-announce/2022/08/msg00009.html https://access.redhat.com/security/cve/CVE-2022-31163 https://bugzilla.redhat.com/show_bug.cgi& • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •