CVE-2017-0902

Advisory lineage Upstream: 0 Downstream: 13

Downstream

ALPINE-CVE-2017-0902 DEBIAN-CVE-2017-0902 DLA-1421-1 DSA-3966-1 MGASA-2017-0482 RHSA-2017:3485

Modified

Published: 31 Aug 2017, 20:00

Last modified:17 Sept 2024, 00:42

Vulnerability Summary

Overall Risk (default)

medium

43/100

CVSS Score

8.1 HIGH

v3.0 (nvd)

EPSS Score

5% LOW

5% probability -0.21%

KEV

Not listed

Ransomware

No reports

Public exploits

2 found

Dark Web

Not detected

Timeline

31 Aug 2017, 20:00

Published

Vulnerability first disclosed

17 Sept 2024, 00:42

Last Modified

Vulnerability information updated

Description

RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.

CVSS Metrics

v3.0•HIGH•Score: 8.1CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
v2.0•MEDIUM•Score: 6.8AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 5.00%• Percentile: 90%

Techniques & Countermeasures

CWE-350•Reliance on Reverse DNS Resolution for a Security-Critical Action
The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.
CWE-346•Origin Validation Error
The product does not properly verify that the source of data or communication is valid.

Affected Systems

canonical•ubuntu_linux
14.04 | 16.04 | 17.10
debian•debian_linux
8.0 | 9.0
hackerone•rubygems
Versions before 2.6.13
redhat•enterprise_linux_desktop
7.0
redhat•enterprise_linux_server
7.0
redhat•enterprise_linux_server_aus
7.4 | 7.6
redhat•enterprise_linux_server_eus
7.4 | 7.5 | 7.6
redhat•enterprise_linux_server_tus
7.4 | 7.6
redhat•enterprise_linux_workstation
7.0
rubygems•rubygems
≤ 2.6.12