{"id":"CVE-2021-28966","details":"In Ruby through 3.0 on Windows, a remote attacker can submit a crafted path when a Web application handles a parameter with TmpDir.","aliases":["BIT-ruby-2021-28966","BIT-ruby-min-2021-28966","GHSA-46f2-3v63-3xrp"],"modified":"2026-05-18T21:05:18.473205Z","published":"2021-07-30T14:15:16.303Z","references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210902-0004/"},{"type":"FIX","url":"https://hackerone.com/reports/1131465"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ruby/ruby","events":[{"introduced":"0"},{"fixed":"6847ee089d7655b2a0eea4fee3133aeacd4cc7cc"},{"introduced":"95aff214687a5e12c3eb57d056665741e734c188"},{"fixed":"0fb782ee38ea37fd5fe8b1f775f8ad866a82a3f0"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"2.7.3"},{"introduced":"3.0.0"},{"fixed":"3.0.1"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*"}}],"versions":["v3_0_0","v2_7_2","v2_7_1","v2_7_0","v2_7_0_rc2","v2_7_0_rc1","v2_7_0_preview3","v2_7_0_preview2","v2_7_0_preview1","v1_0_r2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-28966.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}