Detections
Analytics

CVE-2018-1000079

medium

Description

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.

References

https://www.debian.org/security/2018/dsa-4259

https://www.debian.org/security/2018/dsa-4219

https://usn.ubuntu.com/3621-1/

https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html

https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759

https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099

https://access.redhat.com/errata/RHSA-2020:0663

https://access.redhat.com/errata/RHSA-2020:0591

https://access.redhat.com/errata/RHSA-2020:0542

https://access.redhat.com/errata/RHSA-2019:2028

https://access.redhat.com/errata/RHSA-2018:3731

https://access.redhat.com/errata/RHSA-2018:3730

https://access.redhat.com/errata/RHSA-2018:3729

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html

http://blog.rubygems.org/2018/02/15/2.7.6-released.html

Details

Source: Mitre, NVD

Published: 2018-03-13

Updated: 2018-11-30

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 5.5

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Severity: Medium