9.8

CVE-2017-0903

RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RubygemsRubygems Version2.0.0
RubygemsRubygems Version2.0.0 Updatepreview2
RubygemsRubygems Version2.0.0 Updatepreview2.1
RubygemsRubygems Version2.0.0 Updatepreview2.2
RubygemsRubygems Version2.0.0 Updaterc1
RubygemsRubygems Version2.0.0 Updaterc2
RubygemsRubygems Version2.0.1
RubygemsRubygems Version2.0.2
RubygemsRubygems Version2.0.3
RubygemsRubygems Version2.0.4
RubygemsRubygems Version2.0.5
RubygemsRubygems Version2.0.6
RubygemsRubygems Version2.0.7
RubygemsRubygems Version2.0.8
RubygemsRubygems Version2.0.9
RubygemsRubygems Version2.0.10
RubygemsRubygems Version2.0.11
RubygemsRubygems Version2.0.12
RubygemsRubygems Version2.0.13
RubygemsRubygems Version2.0.14
RubygemsRubygems Version2.0.15
RubygemsRubygems Version2.0.16
RubygemsRubygems Version2.0.17
RubygemsRubygems Version2.1.0
RubygemsRubygems Version2.1.0.rc.1
RubygemsRubygems Version2.1.0.rc.2
RubygemsRubygems Version2.1.1
RubygemsRubygems Version2.1.2
RubygemsRubygems Version2.1.3
RubygemsRubygems Version2.1.4
RubygemsRubygems Version2.1.5
RubygemsRubygems Version2.1.6
RubygemsRubygems Version2.1.7
RubygemsRubygems Version2.1.8
RubygemsRubygems Version2.1.9
RubygemsRubygems Version2.1.10
RubygemsRubygems Version2.1.11
RubygemsRubygems Version2.2.0
RubygemsRubygems Version2.2.0.preiew.1
RubygemsRubygems Version2.2.0.rc.1
RubygemsRubygems Version2.2.1
RubygemsRubygems Version2.2.2
RubygemsRubygems Version2.2.3
RubygemsRubygems Version2.2.4
RubygemsRubygems Version2.2.5
RubygemsRubygems Version2.3.0
RubygemsRubygems Version2.4.0
RubygemsRubygems Version2.4.1
RubygemsRubygems Version2.4.2
RubygemsRubygems Version2.4.3
RubygemsRubygems Version2.4.4
RubygemsRubygems Version2.4.5
RubygemsRubygems Version2.4.6
RubygemsRubygems Version2.4.7
RubygemsRubygems Version2.4.8
RubygemsRubygems Version2.5.0
RubygemsRubygems Version2.5.1
RubygemsRubygems Version2.5.2
RubygemsRubygems Version2.6.0
RubygemsRubygems Version2.6.1
RubygemsRubygems Version2.6.2
RubygemsRubygems Version2.6.3
RubygemsRubygems Version2.6.4
RubygemsRubygems Version2.6.5
RubygemsRubygems Version2.6.6
RubygemsRubygems Version2.6.7
RubygemsRubygems Version2.6.8
RubygemsRubygems Version2.6.9
RubygemsRubygems Version2.6.10
RubygemsRubygems Version2.6.11
RubygemsRubygems Version2.6.12
RubygemsRubygems Version2.6.13
DebianDebian Linux Version8.0
DebianDebian Linux Version9.0
CanonicalUbuntu Linux Version14.04 SwEditionlts
CanonicalUbuntu Linux Version16.04 SwEditionlts
CanonicalUbuntu Linux Version17.10
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 15.85% 0.965
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://access.redhat.com/errata/RHSA-2018:0583
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
Third Party Advisory
Mailing List
https://access.redhat.com/errata/RHSA-2017:3485
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0378
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0585
Third Party Advisory
https://usn.ubuntu.com/3685-1/
Third Party Advisory
https://usn.ubuntu.com/3553-1/
Third Party Advisory
https://www.debian.org/security/2017/dsa-4031
Third Party Advisory
http://blog.rubygems.org/2017/10/09/2.6.14-released.html
Vendor Advisory
http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
Vendor Advisory
http://www.securityfocus.com/bid/101275
Third Party Advisory
VDB Entry
https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49
Patch
Third Party Advisory
https://hackerone.com/reports/274990
Third Party Advisory