CVE-2017-0903
N/A
N/A
Summary
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| HackerOne | RubyGems | Versions >= 2.0.0 | affected |
Weaknesses
- CWE-502: Deserialization of Untrusted Data (CWE-502)
ADP Enrichment
CVE Program Container
Additional References
- https://usn.ubuntu.com/3685-1/
- https://usn.ubuntu.com/3553-1/
- https://access.redhat.com/errata/RHSA-2018:0585
- https://access.redhat.com/errata/RHSA-2018:0378
- https://hackerone.com/reports/274990
- https://www.debian.org/security/2017/dsa-4031
- https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49
- https://access.redhat.com/errata/RHSA-2017:3485
- http://blog.rubygems.org/2017/10/09/2.6.14-released.html
- https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
- https://access.redhat.com/errata/RHSA-2018:0583
- http://www.securityfocus.com/bid/101275
- http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
References
- https://usn.ubuntu.com/3685-1/
- https://usn.ubuntu.com/3553-1/
- https://access.redhat.com/errata/RHSA-2018:0585
- https://access.redhat.com/errata/RHSA-2018:0378
- https://hackerone.com/reports/274990
- https://www.debian.org/security/2017/dsa-4031
- https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49
- https://access.redhat.com/errata/RHSA-2017:3485
- http://blog.rubygems.org/2017/10/09/2.6.14-released.html
- https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
- https://access.redhat.com/errata/RHSA-2018:0583
- http://www.securityfocus.com/bid/101275
- http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.