CVE-2017-0901

Published: Aug 31, 2017

Modified: Sep 16, 2024

PUBLISHED

Description

RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.

Vendor	Product	Versions
HackerOne	RubyGems	affected `Versions before 2.6.13`

Weaknesses (CWE)

CWE-22

References

USN-3685-1

vendor-advisory

x_refsource_UBUNTU

USN-3553-1

vendor-advisory

x_refsource_UBUNTU

RHSA-2018:0585

vendor-advisory

x_refsource_REDHAT

DSA-3966

vendor-advisory

x_refsource_DEBIAN

RHSA-2018:0378

vendor-advisory

x_refsource_REDHAT

42611

exploit

x_refsource_EXPLOIT-DB

1039249

vdb-entry

x_refsource_SECTRACK

https://hackerone.com/reports/243156

x_refsource_MISC

RHSA-2017:3485

vendor-advisory

x_refsource_REDHAT

https://github.com/rubygems/rubygems/commit/ad5c0a53a86ca5b218c7976765c0365b91d22cb2

x_refsource_MISC

[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update

mailing-list

x_refsource_MLIST

RHSA-2018:0583

vendor-advisory

x_refsource_REDHAT

GLSA-201710-01

vendor-advisory

x_refsource_GENTOO

100580

vdb-entry

x_refsource_BID

http://blog.rubygems.org/2017/08/27/2.6.13-released.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2017-0901

Description

Affected Products

Weaknesses (CWE)

References