8.1

CVE-2017-0902

Exploit
RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RubygemsRubygems Version <= 2.6.12
DebianDebian Linux Version8.0
DebianDebian Linux Version9.0
CanonicalUbuntu Linux Version14.04 SwEditionlts
CanonicalUbuntu Linux Version16.04 SwEditionlts
CanonicalUbuntu Linux Version17.10
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 4.75% 0.907
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.1 2.2 5.9
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
CWE-346 Origin Validation Error

The product does not properly verify that the source of data or communication is valid.

CWE-350 Reliance on Reverse DNS Resolution for a Security-Critical Action

The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.

https://access.redhat.com/errata/RHSA-2018:0583
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
Third Party Advisory
Mailing List
https://www.debian.org/security/2017/dsa-3966
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3485
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0378
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0585
Third Party Advisory
https://usn.ubuntu.com/3685-1/
Third Party Advisory
http://blog.rubygems.org/2017/08/27/2.6.13-released.html
Patch
Vendor Advisory
http://www.securitytracker.com/id/1039249
Third Party Advisory
VDB Entry
https://security.gentoo.org/glsa/201710-01
Third Party Advisory
https://usn.ubuntu.com/3553-1/
Third Party Advisory
http://www.securityfocus.com/bid/100586
Third Party Advisory
VDB Entry
https://github.com/rubygems/rubygems/commit/8d91516fb7037ecfb27622f605dc40245e0f8d32
Patch
Third Party Advisory
Exploit
https://hackerone.com/reports/218088
Third Party Advisory
Exploit
Issue Tracking