-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIA Semantic Attack on Google Gemini - Read the Latest Research
A Semantic Attack on Google Gemini - Read the Latest Research
Miggo AI
Miggo AIRoot Cause AnalysisThe vulnerability stemmed from two key areas: 1) In extract_tar_gz, the use of FileUtils.mkdir_p without proper traversal checks allowed creating directories outside the target. 2) install_location's path validation only checked if the destination started with destination_dir, which could be bypassed via crafted paths. The fixes (666ef79 and f83f911) introduced mkdir_p_safe with component-wise validation and stricter start_with? checks with a trailing slash, confirming these functions were the vulnerable points.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| rubygems-update | rubygems | < 2.7.6 | 2.7.6 |
| org.jruby:jruby-stdlib | maven | < 9.1.16.0 | 9.1.16.0 |