CVE-2017-0902

Published: Aug 31, 2017

Modified: Sep 17, 2024

PUBLISHED

Description

RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.

Vendor	Product	Versions
HackerOne	RubyGems	affected `Versions before 2.6.13`

Weaknesses (CWE)

CWE-350

References

USN-3685-1

vendor-advisory

x_refsource_UBUNTU

USN-3553-1

vendor-advisory

x_refsource_UBUNTU

RHSA-2018:0585

vendor-advisory

x_refsource_REDHAT

DSA-3966

vendor-advisory

x_refsource_DEBIAN

RHSA-2018:0378

vendor-advisory

x_refsource_REDHAT

1039249

vdb-entry

x_refsource_SECTRACK

RHSA-2017:3485

vendor-advisory

x_refsource_REDHAT

[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update

mailing-list

x_refsource_MLIST

RHSA-2018:0583

vendor-advisory

x_refsource_REDHAT

GLSA-201710-01

vendor-advisory

x_refsource_GENTOO

100586

vdb-entry

x_refsource_BID

https://github.com/rubygems/rubygems/commit/8d91516fb7037ecfb27622f605dc40245e0f8d32

x_refsource_MISC

https://hackerone.com/reports/218088

x_refsource_MISC

http://blog.rubygems.org/2017/08/27/2.6.13-released.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2017-0902

Description

Affected Products

Weaknesses (CWE)

References