Ubuntu Security Notice 6731-1 - It was discovered that YARD before 0.9.11 does not block relative paths with an initial ../ sequence, which allows attackers to conduct directory traversal attacks and read arbitrary files. This issue only affected Ubuntu 16.04 LTS. It was discovered that yard before 0.9.20 is affected by a path traversal vulnerability, allowing HTTP requests to access arbitrary files under certain conditions. This issue only affected Ubuntu 18.04 LTS.
6cc5e58d73d3c046e985de41d539f9f53c558c2a92241a406f4d47be886d6803