RubyGems vulnerable to Deserialization of Untrusted Data

GHSA-mqwr-4qf2-2hcv · CVE-2017-0903

Published May 13, 2022 · Modified Feb 22, 2024

Description

RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution. The issue has been patched in 2.6.14.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2017-0903
WEB https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49
WEB https://hackerone.com/reports/274990
WEB https://access.redhat.com/errata/RHSA-2017:3485
WEB https://access.redhat.com/errata/RHSA-2018:0378
WEB https://access.redhat.com/errata/RHSA-2018:0583
WEB https://access.redhat.com/errata/RHSA-2018:0585
PACKAGE https://github.com/rubygems/rubygems
WEB https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
WEB https://usn.ubuntu.com/3553-1
WEB https://usn.ubuntu.com/3685-1
WEB https://web.archive.org/web/20200227143351/http://www.securityfocus.com/bid/101275
WEB https://www.debian.org/security/2017/dsa-4031
WEB http://blog.rubygems.org/2017/10/09/2.6.14-released.html
WEB http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes