GHSA-29g5-m8v7-v564

Source

https://github.com/advisories/GHSA-29g5-m8v7-v564

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-29g5-m8v7-v564/GHSA-29g5-m8v7-v564.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-29g5-m8v7-v564

Published

2025-07-15T15:35:37Z

Modified

2025-07-15T16:02:11.129252Z

Severity

4.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

Measured is vulnerable to Path Traversal attacks during class initialization

Details

Impact

A path traversal vulnerability exists where an attacker with access to manipulate inputs when initializing the Measured::Cache::Json class would be able to instruct the library to read arbitrary files.

Patches

Users should update to the latest version.

Database specific

{
    "severity": "MODERATE",
    "nvd_published_at": null,
    "github_reviewed_at": "2025-07-15T15:35:37Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22"
    ]
}

References

Affected packages

RubyGems / measured

Package

Name: measured
Purl: pkg:gem/measured

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.2.1

Affected versions

0.*

0.0.1

0.0.2

0.0.3

0.0.4

0.0.6

0.0.7

0.0.8

0.0.9

0.0.10

0.0.11

0.0.12

1.*

1.0.0

1.1.0

1.2.0

1.3.0

1.3.1

1.4.0

1.5.0

1.6.0

2.*

2.0.0.pre1

2.0.0.pre2

2.0.0.pre3

2.0.0.pre4

2.0.0

2.1.0

2.2.0

2.3.0

2.4.0

2.5.0

2.5.1

2.5.2

2.6.0

2.7.0

2.7.1

2.8.0

2.8.1

2.8.2

3.*

3.0.0

3.1.0

3.2.0