1. Home
  2. Vulnerabilities
  3. CVE-2017-0903

CVE-2017-0903

CVSS v3.0 9.8 (Critical)
98% Progress
CVSS v2.0 7.5 (High)
75% Progress
EPSS 13.51 % (96th)
13.51% Progress
Affected Products 9
Advisories 14
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.

Weaknesses
CWE-502
Deserialization of Untrusted Data
CVE Status
PUBLISHED
CNA
HackerOne
Published Date
2017-10-11 18:29:00
(7 years ago)
Updated Date
2019-10-09 23:21:10
(5 years ago)

Affected Products

Canonical

Debian

Redhat

Rubygems

Configuration #1

    CPE23 From Up To
  Rubygems 2.0.0 cpe:2.3:a:rubygems:rubygems:2.0.0
  Rubygems 2.0.0 Preview2 cpe:2.3:a:rubygems:rubygems:2.0.0:preview2
  Rubygems 2.0.0 Preview2.1 cpe:2.3:a:rubygems:rubygems:2.0.0:preview2.1
  Rubygems 2.0.0 Preview2.2 cpe:2.3:a:rubygems:rubygems:2.0.0:preview2.2
  Rubygems 2.0.0 Rc1 cpe:2.3:a:rubygems:rubygems:2.0.0:rc1
  Rubygems 2.0.0 Rc2 cpe:2.3:a:rubygems:rubygems:2.0.0:rc2
  Rubygems 2.0.1 cpe:2.3:a:rubygems:rubygems:2.0.1
  Rubygems 2.0.2 cpe:2.3:a:rubygems:rubygems:2.0.2
  Rubygems 2.0.3 cpe:2.3:a:rubygems:rubygems:2.0.3
  Rubygems 2.0.4 cpe:2.3:a:rubygems:rubygems:2.0.4
  Rubygems 2.0.5 cpe:2.3:a:rubygems:rubygems:2.0.5
  Rubygems 2.0.6 cpe:2.3:a:rubygems:rubygems:2.0.6
  Rubygems 2.0.7 cpe:2.3:a:rubygems:rubygems:2.0.7
  Rubygems 2.0.8 cpe:2.3:a:rubygems:rubygems:2.0.8
  Rubygems 2.0.9 cpe:2.3:a:rubygems:rubygems:2.0.9
  Rubygems 2.0.10 cpe:2.3:a:rubygems:rubygems:2.0.10
  Rubygems 2.0.11 cpe:2.3:a:rubygems:rubygems:2.0.11
  Rubygems 2.0.12 cpe:2.3:a:rubygems:rubygems:2.0.12
  Rubygems 2.0.13 cpe:2.3:a:rubygems:rubygems:2.0.13
  Rubygems 2.0.14 cpe:2.3:a:rubygems:rubygems:2.0.14
  Rubygems 2.0.15 cpe:2.3:a:rubygems:rubygems:2.0.15
  Rubygems 2.0.16 cpe:2.3:a:rubygems:rubygems:2.0.16
  Rubygems 2.0.17 cpe:2.3:a:rubygems:rubygems:2.0.17
  Rubygems 2.1.0 cpe:2.3:a:rubygems:rubygems:2.1.0
  Rubygems 2.1.0.rc.1 cpe:2.3:a:rubygems:rubygems:2.1.0.rc.1
  Rubygems 2.1.0.rc.2 cpe:2.3:a:rubygems:rubygems:2.1.0.rc.2
  Rubygems 2.1.1 cpe:2.3:a:rubygems:rubygems:2.1.1
  Rubygems 2.1.2 cpe:2.3:a:rubygems:rubygems:2.1.2
  Rubygems 2.1.3 cpe:2.3:a:rubygems:rubygems:2.1.3
  Rubygems 2.1.4 cpe:2.3:a:rubygems:rubygems:2.1.4
  Rubygems 2.1.5 cpe:2.3:a:rubygems:rubygems:2.1.5
  Rubygems 2.1.6 cpe:2.3:a:rubygems:rubygems:2.1.6
  Rubygems 2.1.7 cpe:2.3:a:rubygems:rubygems:2.1.7
  Rubygems 2.1.8 cpe:2.3:a:rubygems:rubygems:2.1.8
  Rubygems 2.1.9 cpe:2.3:a:rubygems:rubygems:2.1.9
  Rubygems 2.1.10 cpe:2.3:a:rubygems:rubygems:2.1.10
  Rubygems 2.1.11 cpe:2.3:a:rubygems:rubygems:2.1.11
  Rubygems 2.2.0 cpe:2.3:a:rubygems:rubygems:2.2.0
  Rubygems 2.2.0.preiew.1 cpe:2.3:a:rubygems:rubygems:2.2.0.preiew.1
  Rubygems 2.2.0.rc.1 cpe:2.3:a:rubygems:rubygems:2.2.0.rc.1
  Rubygems 2.2.1 cpe:2.3:a:rubygems:rubygems:2.2.1
  Rubygems 2.2.2 cpe:2.3:a:rubygems:rubygems:2.2.2
  Rubygems 2.2.3 cpe:2.3:a:rubygems:rubygems:2.2.3
  Rubygems 2.2.4 cpe:2.3:a:rubygems:rubygems:2.2.4
  Rubygems 2.2.5 cpe:2.3:a:rubygems:rubygems:2.2.5
  Rubygems 2.3.0 cpe:2.3:a:rubygems:rubygems:2.3.0
  Rubygems 2.4.0 cpe:2.3:a:rubygems:rubygems:2.4.0
  Rubygems 2.4.1 cpe:2.3:a:rubygems:rubygems:2.4.1
  Rubygems 2.4.2 cpe:2.3:a:rubygems:rubygems:2.4.2
  Rubygems 2.4.3 cpe:2.3:a:rubygems:rubygems:2.4.3
  Rubygems 2.4.4 cpe:2.3:a:rubygems:rubygems:2.4.4
  Rubygems 2.4.5 cpe:2.3:a:rubygems:rubygems:2.4.5
  Rubygems 2.4.6 cpe:2.3:a:rubygems:rubygems:2.4.6
  Rubygems 2.4.7 cpe:2.3:a:rubygems:rubygems:2.4.7
  Rubygems 2.4.8 cpe:2.3:a:rubygems:rubygems:2.4.8
  Rubygems 2.5.0 cpe:2.3:a:rubygems:rubygems:2.5.0
  Rubygems 2.5.1 cpe:2.3:a:rubygems:rubygems:2.5.1
  Rubygems 2.5.2 cpe:2.3:a:rubygems:rubygems:2.5.2
  Rubygems 2.6.0 cpe:2.3:a:rubygems:rubygems:2.6.0
  Rubygems 2.6.1 cpe:2.3:a:rubygems:rubygems:2.6.1
  Rubygems 2.6.2 cpe:2.3:a:rubygems:rubygems:2.6.2
  Rubygems 2.6.3 cpe:2.3:a:rubygems:rubygems:2.6.3
  Rubygems 2.6.4 cpe:2.3:a:rubygems:rubygems:2.6.4
  Rubygems 2.6.5 cpe:2.3:a:rubygems:rubygems:2.6.5
  Rubygems 2.6.6 cpe:2.3:a:rubygems:rubygems:2.6.6
  Rubygems 2.6.7 cpe:2.3:a:rubygems:rubygems:2.6.7
  Rubygems 2.6.8 cpe:2.3:a:rubygems:rubygems:2.6.8
  Rubygems 2.6.9 cpe:2.3:a:rubygems:rubygems:2.6.9
  Rubygems 2.6.10 cpe:2.3:a:rubygems:rubygems:2.6.10
  Rubygems 2.6.11 cpe:2.3:a:rubygems:rubygems:2.6.11
  Rubygems 2.6.12 cpe:2.3:a:rubygems:rubygems:2.6.12
  Rubygems 2.6.13 cpe:2.3:a:rubygems:rubygems:2.6.13

Configuration #2

    CPE23 From Up To
  Debian Linux 8.0 cpe:2.3:o:debian:debian_linux:8.0
  Debian Linux 9.0 cpe:2.3:o:debian:debian_linux:9.0

Configuration #3

    CPE23 From Up To
  Canonical Ubuntu Linux 14.04 cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts
  Canonical Ubuntu Linux 16.04 cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts
  Canonical Ubuntu Linux 17.10 cpe:2.3:o:canonical:ubuntu_linux:17.10

Configuration #4

    CPE23 From Up To
  Redhat Enterprise Linux Desktop 7.0 cpe:2.3:o:redhat:enterprise_linux_desktop:7.0
  Redhat Enterprise Linux Server 7.0 cpe:2.3:o:redhat:enterprise_linux_server:7.0
  Redhat Enterprise Linux Server Aus 7.4 cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4
  Redhat Enterprise Linux Server Aus 7.6 cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6
  Redhat Enterprise Linux Server Eus 7.4 cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4
  Redhat Enterprise Linux Server Eus 7.5 cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5
  Redhat Enterprise Linux Server Eus 7.6 cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6
  Redhat Enterprise Linux Server Tus 7.4 cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4
  Redhat Enterprise Linux Server Tus 7.6 cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6
  Redhat Enterprise Linux Workstation 7.0 cpe:2.3:o:redhat:enterprise_linux_workstation:7.0