PatchSiren cyber security CVE debrief

CVE-2017-5946 Debian CVE debrief

CVE-2017-5946 is a critical directory traversal issue in rubyzip's Zip::File component. If an application accepts untrusted ZIP uploads and processes them with affected versions, a crafted archive can use "../" path substrings to write files outside the intended extraction location. NVD rates the issue 9.8 with network access, no privileges, and no user interaction, so services that handle user-supplied archives should treat it as high risk.

Vendor: Debian
Product: CVE-2017-5946
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-27
Original CVE updated: 2026-05-13
Advisory published: 2017-02-27
Advisory updated: 2026-05-13

Who should care

Security teams and developers running Ruby applications that accept ZIP uploads or unpack third-party archives should prioritize this. Debian deployments are relevant where installed packages depend on vulnerable rubyzip versions. Any environment where archive extraction can influence application data, configuration, or other writable locations should be reviewed.

Technical summary

NVD classifies the flaw as CWE-22 and lists affected rubyzip versions before 1.2.1. The issue is a path traversal in Zip::File handling: archive entries containing "../" can escape the target directory and write arbitrary files on the filesystem during extraction or related file operations. The published CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a remotely reachable, unauthenticated condition with severe impact if attacker-controlled ZIP content is processed.

Defensive priority

High priority. Any internet-facing service that ingests ZIP files or uses rubyzip in upload, import, or extraction workflows should be reviewed immediately and upgraded to a fixed release.

Recommended defensive actions

Upgrade rubyzip to version 1.2.1 or later.
Inventory Ruby applications and Debian packages that depend on rubyzip, especially services handling user-uploaded archives.
Restrict or remove ZIP upload and auto-extract features where they are not required.
Validate extracted paths and reject archive entries that resolve outside the intended destination directory.
Check for unexpected files or overwrites in application-managed directories after processing archives.
Use the referenced project release information and vendor advisory to confirm the correct remediated version for your deployment.

Evidence notes

The supplied corpus ties this CVE to rubyzip versions before 1.2.1, a CWE-22 traversal weakness, and a 9.8 CVSS 3.1 vector. It also lists Debian 8.0 and 9.0 CPEs as vulnerable, but the corpus does not include exact Debian package-version remediation details. The issue and releases references support the remediation path without adding unsupported facts.

Official resources

CVE-2017-5946 CVE record
CVE.org
CVE-2017-5946 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory

Publicly disclosed on 2017-02-27; the NVD record was later modified on 2026-05-13.