CVE-2017-0903
Vulnerability Summary
Timeline
Description
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
CVSS Metrics
- v3.0•CRITICAL•Score: 9.8CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- v2.0•HIGH•Score: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS Trends
Current EPSS score: 5.54%• Percentile: 90%
Techniques & Countermeasures
- CWE-502•Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Affected Systems
- canonical•ubuntu_linux
14.04 | 16.04 | 17.10
- debian•debian_linux
8.0 | 9.0
- hackerone•rubygems
Versions >= 2.0.0
- redhat•enterprise_linux_desktop
7.0
- redhat•enterprise_linux_server
7.0
- redhat•enterprise_linux_server_aus
7.4 | 7.6
- redhat•enterprise_linux_server_eus
7.4 | 7.5 | 7.6
- redhat•enterprise_linux_server_tus
7.4 | 7.6
- redhat•enterprise_linux_workstation
7.0
- rubygems•rubygems
2.0.0 | 2.0.0:preview2 | 2.0.0:preview2.1 | 2.0.0:preview2.2 | 2.0.0:rc1 | 2.0.0:rc2 | 2.0.1 | 2.0.2 | 2.0.3 | 2.0.4 | 2.0.5 | 2.0.6 | 2.0.7 | 2.0.8 | 2.0.9 | 2.0.10 | 2.0.11 | 2.0.12 | 2.0.13 | 2.0.14 | 2.0.15 | 2.0.16 | 2.0.17 | 2.1.0 | 2.1.0.rc.1 | 2.1.0.rc.2 | 2.1.1 | 2.1.2 | 2.1.3 | 2.1.4 | 2.1.5 | 2.1.6 | 2.1.7 | 2.1.8 | 2.1.9 | 2.1.10 | 2.1.11 | 2.2.0 | 2.2.0.preiew.1 | 2.2.0.rc.1 | 2.2.1 | 2.2.2 | 2.2.3 | 2.2.4 | 2.2.5 | 2.3.0 | 2.4.0 | 2.4.1 | 2.4.2 | 2.4.3 | 2.4.4 | 2.4.5 | 2.4.6 | 2.4.7 | 2.4.8 | 2.5.0 | 2.5.1 | 2.5.2 | 2.6.0 | 2.6.1 | 2.6.2 | 2.6.3 | 2.6.4 | 2.6.5 | 2.6.6 | 2.6.7 | 2.6.8 | 2.6.9 | 2.6.10 | 2.6.11 | 2.6.12 | 2.6.13
References (13)
- https://usn.ubuntu.com/3685-1/
- https://usn.ubuntu.com/3553-1/
- https://access.redhat.com/errata/RHSA-2018:0585
- https://access.redhat.com/errata/RHSA-2018:0378
- https://hackerone.com/reports/274990
- https://www.debian.org/security/2017/dsa-4031
- https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49
- https://access.redhat.com/errata/RHSA-2017:3485
- http://blog.rubygems.org/2017/10/09/2.6.14-released.html
- https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
- https://access.redhat.com/errata/RHSA-2018:0583
- http://www.securityfocus.com/bid/101275
- http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html