|
| 1 | +--- |
| 2 | +layout: advisory |
| 3 | +title: 'CVE-2016-1000305 (guard-livereload): Directory traversal vulnerability in |
| 4 | + guard-livereload' |
| 5 | +comments: false |
| 6 | +categories: |
| 7 | +- guard-livereload |
| 8 | +advisory: |
| 9 | + gem: guard-livereload |
| 10 | + cve: 2016-1000305 |
| 11 | + url: https://security.snyk.io/vuln/SNYK-RUBY-GUARDLIVERELOAD-20361 |
| 12 | + title: Directory traversal vulnerability in guard-livereload |
| 13 | + date: 2016-02-04 |
| 14 | + description: |- |
| 15 | + The vulnerability allows remote attackers to read arbitrary files |
| 16 | + on the server by exploiting improper path validation in the |
| 17 | + livereload server functionality. |
| 18 | +
|
| 19 | + This vulnerability is related to the handling of file paths in the |
| 20 | + livereload server component, which could allow an attacker to traverse |
| 21 | + directories and access files outside the intended web root directory. |
| 22 | +
|
| 23 | + The issue was identified and reported through the DWF (Distributed |
| 24 | + Weakness Filing) project, which assigns CVE identifiers for |
| 25 | + security vulnerabilities. |
| 26 | +
|
| 27 | + A directory traversal vulnerability exists in |
| 28 | + guard-livereload before version 2.5.2. |
| 29 | + cvss_v3: 5.3 |
| 30 | + patched_versions: |
| 31 | + - ">= 2.5.2" |
| 32 | + related: |
| 33 | + url: |
| 34 | + - https://security.snyk.io/vuln/SNYK-RUBY-GUARDLIVERELOAD-20361 |
| 35 | + - https://rubygems.org/gems/guard-livereload/versions/2.5.2 |
| 36 | + - https://github.com/guard/guard-livereload/releases/tag/v2.5.2 |
| 37 | + - https://github.com/guard/guard-livereload/pull/158 |
| 38 | + - https://github.com/guard/guard-livereload/pull/158/changes/a24c99e4ce4542d16f5a578df8d47b1275feca46 |
| 39 | + - https://github.com/guard/guard-livereload/issues/159 |
| 40 | + - https://github.com/rubysec/ruby-advisory-db/issues/289 |
| 41 | + - https://github.com/rubysec/ruby-advisory-db/pull/1026 |
| 42 | + notes: | |
| 43 | + - 1/11/2026, 6/8/2026 Notes |
| 44 | + - 1. Deal with cve-2016-1000305 |
| 45 | + - real, reserved, published?(NONE OF THE ABOVE) |
| 46 | + - (DEAD) https://cve.report/CVE-2016-1000305 (CVE NOT PUBLISHED) |
| 47 | + - 2. No GHSA for guard-livereload gem. (checked/fyi) |
| 48 | + - 3. "date: 2016-02-03" came from gem release date. (fyi) |
| 49 | + - 4. Pick which description: text to use. (done) |
| 50 | + - 5. Check "unaffected_versions:" and "patched_versions:" values. (done) |
| 51 | + - 6. "cvss_v3: 5.3" came from SNYK URL (fyi) |
| 52 | + - 7. Fill in "related:" URLs. (done) |
| 53 | + - PR#1026: notes: |
| 54 | + - DWF: This vulnerability was assigned CVE-2016-1000305 by |
| 55 | + the DWF (Distributed Weakness Filing) project. |
| 56 | + - (DWF Info) https://lwn.net/Articles/679441 |
| 57 | + - (DEAD LINK) https://github.com/distributedweaknessfiling/ |
| 58 | + DWF-Database-Artifacts/blob/158c10cf11bc7d6ad728c1a8dd213f |
| 59 | + 523ecfca52/DWF/2016/1000305/CVE-2016-1000305.json |
| 60 | + - WARNING: The gem has not been released after fixing this |
| 61 | + vulnerability in version 2.5.2. |
| 62 | + - Users should consider migrating to rack-livereload as an alternative. |
| 63 | +--- |
0 commit comments