Updated advisory posts against rubysec/ruby-advisory-db@30ae988

Author: flavorjones

advisories/_posts/2026-04-17-GHSA-3jfp-46x4-xgfj.md

@@ -0,0 +1,45 @@
+---
+layout: advisory
+title: 'GHSA-3jfp-46x4-xgfj (yard): yard - Possible arbitrary path traversal and file
+  access via yard server'
+comments: false
+categories:
+- yard
+advisory:
+  gem: yard
+  ghsa: 3jfp-46x4-xgfj
+  url: https://github.com/lsegal/yard/security/advisories/GHSA-3jfp-46x4-xgfj
+  title: yard - Possible arbitrary path traversal and file access via yard server
+  date: 2026-04-17
+  description: |-
+    ### Impact
+
+    A path traversal vulnerability was discovered in YARD <= 0.9.41 when
+    using yard server to serve documentation. This bug would allow
+    unsanitized HTTP requests to access arbitrary files on the machine
+    of a yard server host under certain conditions.
+
+    The original patch in [GHSA-xfhh-rx56-rxcr](https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr)
+    was incorrectly applied.
+
+    ### Patches
+
+    Please upgrade to YARD v0.9.42 immediately if you are relying on yard
+    server to host documentation in any untrusted environments without
+    WEBrick and rely on `--docroot`.
+
+    ### Workarounds
+
+    For users who cannot upgrade, it is possible to perform path sanitization
+    of HTTP requests at your webserver level. WEBrick, for example, can
+    perform such sanitization by default (which you can use via yard
+    server -s webrick), as can certain rules in your webserver configuration.
+  patched_versions:
+  - ">= 0.9.42"
+  related:
+    url:
+    - https://my.diffend.io/gems/yard/0.9.41/0.9.42
+    - https://github.com/lsegal/yard/security/advisories/GHSA-3jfp-46x4-xgfj
+    - https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr
+    - https://github.com/advisories/GHSA-3jfp-46x4-xgfj
+---