{"id":"CVE-2021-28966","details":"In Ruby through 3.0 on Windows, a remote attacker can submit a crafted path when a Web application handles a parameter with TmpDir.","aliases":["BIT-ruby-2021-28966","BIT-ruby-min-2021-28966","GHSA-46f2-3v63-3xrp"],"modified":"2026-04-10T04:31:52.014433Z","published":"2021-07-30T14:15:16.303Z","references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210902-0004/"},{"type":"FIX","url":"https://hackerone.com/reports/1131465"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ruby/ruby","events":[{"introduced":"0"},{"fixed":"6847ee089d7655b2a0eea4fee3133aeacd4cc7cc"},{"introduced":"95aff214687a5e12c3eb57d056665741e734c188"},{"fixed":"0fb782ee38ea37fd5fe8b1f775f8ad866a82a3f0"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.7.3"},{"introduced":"3.0.0"},{"fixed":"3.0.1"}]}}],"versions":["v1_0_r2","v2_7_0","v2_7_0_preview1","v2_7_0_preview2","v2_7_0_preview3","v2_7_0_rc1","v2_7_0_rc2","v2_7_1","v2_7_2","v3_0_0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-28966.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}