{"id":"CVE-2018-17567","details":"Jekyll through 3.6.2, 3.7.x through 3.7.3, and 3.8.x through 3.8.3 allows attackers to access arbitrary files by specifying a symlink in the \"include\" key in the \"_config.yml\" file.","aliases":["GHSA-4xjh-m3qx-49wc"],"modified":"2026-04-10T04:07:45.013957Z","published":"2018-09-28T00:29:04.553Z","references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/71da391f584b2fb301d2df0e491b279d87287e2fb4b11309f04ad984%40%3Ccommits.accumulo.apache.org%3E"},{"type":"FIX","url":"https://github.com/jekyll/jekyll/pull/7224"},{"type":"FIX","url":"https://jekyllrb.com/news/2018/09/19/security-fixes-for-3-6-3-7-3-8/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jekyll/jekyll","events":[{"introduced":"0"},{"last_affected":"0d555a7361ad4d07fad7381a0118f94512b83231"},{"introduced":"4d6959ca4c57aa966189b0addee354985b10ac66"},{"last_affected":"6298d06f40a7789ad9e2c0a51b22fb38cc12c954"},{"introduced":"d0b907c2e6154672336847dd2ce0f578309cecfb"},{"last_affected":"48e2de862d8396e6ff2f30e2231ac67c5f233b61"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.6.2"},{"introduced":"3.7.0"},{"last_affected":"3.7.3"},{"introduced":"3.8.0"},{"last_affected":"3.8.3"}]}}],"versions":["v0.1.3","v0.1.4","v0.1.5","v0.1.6","v0.10.0","v0.11.0","v0.11.1","v0.11.2","v0.12.0","v0.2.1","v0.3.0","v0.4.0","v0.4.1","v0.5.0","v0.5.1","v0.5.2","v0.5.4","v0.5.7","v0.6.0","v0.6.1","v0.6.2","v0.7.0","v0.8.0","v0.9.0","v1.0.0","v1.0.0.beta1","v1.0.0.beta2","v1.0.0.beta3","v1.0.0.beta4","v1.0.0.rc1","v1.0.1","v1.0.2","v1.0.3","v1.1.0","v1.1.1","v1.1.2","v1.2.0","v1.2.1","v1.3.0","v1.3.0.rc","v1.3.1","v1.4.0","v2.0.0","v2.0.0.alpha.1","v2.0.0.alpha.2","v2.0.0.alpha.3","v2.0.0.rc1","v2.0.1","v2.0.2","v2.0.3","v2.1.0","v2.1.1","v2.2.0","v2.3.0","v2.4.0","v2.5.0","v2.5.1","v2.5.2","v3.0.0","v3.0.0.beta1","v3.0.0.beta2","v3.0.0.pre.beta10","v3.0.0.pre.beta2","v3.0.0.pre.beta3","v3.0.0.pre.beta4","v3.0.0.pre.beta5","v3.0.0.pre.beta6","v3.0.0.pre.beta7","v3.0.0.pre.beta8","v3.0.0.pre.beta9","v3.0.0.pre.rc1","v3.0.1","v3.1.0","v3.1.0.pre.beta1","v3.1.0.pre.rc1","v3.1.0.pre.rc2","v3.1.0.pre.rc3","v3.1.1","v3.1.2","v3.2.0","v3.2.0.pre.beta1","v3.2.0.pre.beta2","v3.2.1","v3.3.0","v3.3.0.pre.rc1","v3.3.1","v3.4.0","v3.5.0","v3.5.1","v3.6.0","v3.6.0.pre.beta1","v3.6.1","v3.6.2","v3.7.0","v3.7.1","v3.7.2","v3.7.3","v3.8.0","v3.8.1","v3.8.2","v3.8.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-17567.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}