CVE-2017-0899

critical

Description

RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.

References

https://www.debian.org/security/2017/dsa-3966

https://security.gentoo.org/glsa/201710-01

https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html

https://hackerone.com/reports/226335

https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491

https://github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1

https://access.redhat.com/errata/RHSA-2018:0585

https://access.redhat.com/errata/RHSA-2018:0583

https://access.redhat.com/errata/RHSA-2018:0378

https://access.redhat.com/errata/RHSA-2017:3485

http://www.securitytracker.com/id/1039249

http://www.securityfocus.com/bid/100576

http://blog.rubygems.org/2017/08/27/2.6.13-released.html

Details

Source: Mitre, NVD

Published: 2017-08-31

Updated: 2019-10-09

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

Detections

Analytics