9.8

CVE-2017-0899

Exploit
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 10.81% 0.953
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://access.redhat.com/errata/RHSA-2018:0583
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
Third Party Advisory
Mailing List
https://www.debian.org/security/2017/dsa-3966
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3485
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0378
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0585
Third Party Advisory
http://blog.rubygems.org/2017/08/27/2.6.13-released.html
Patch
Vendor Advisory
http://www.securityfocus.com/bid/100576
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1039249
Third Party Advisory
VDB Entry
https://github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1
Patch
Third Party Advisory
https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491
Patch
Third Party Advisory
https://hackerone.com/reports/226335
Patch
Third Party Advisory
Exploit
https://security.gentoo.org/glsa/201710-01
Third Party Advisory