[RUBYSEC:RUBYGEMS-UPDATE-2017-0901] RubyGems vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files

Severity High

Affected Packages 3

Fixed Packages 3

CVEs 1

RubyGems version 2.6.12 and earlier fails to validate specification names,
allowing a maliciously crafted gem to potentially overwrite any file on the
filesystem.

Package	Affected Version
pkg:gem/rubygems-update	< 2.4.5.3
pkg:gem/rubygems-update	< 2.5.2.1
pkg:gem/rubygems-update	< 2.6.13

Package	Fixed Version
pkg:gem/rubygems-update	>= 2.4.5.3
pkg:gem/rubygems-update	>= 2.5.2.1
pkg:gem/rubygems-update	>= 2.6.13

ID

RUBYSEC:RUBYGEMS-UPDATE-2017-0901

Severity

high

URL

https://blog.rubygems.org/2017/08/27/2.6.13-released.html

Published

2017-08-29T00:00:00
(7 years ago)

Modified

2023-05-03T23:49:55
(16 months ago)

Rights

RubySec Security Team

Other Advisories

Source	# ID	Name	URL
Security Advisory	GHSA-pm9x-4392-2c2p		https://github.com/advisories/GHSA-pm9x-4392-2c2p

Type	Package URL	Name / Product	Version
Fixed	pkg:gem/rubygems-update	rubygems-update	>= 2.4.5.3
Affected	pkg:gem/rubygems-update	rubygems-update	< 2.4.5.3
Fixed	pkg:gem/rubygems-update	rubygems-update	>= 2.5.2.1
Affected	pkg:gem/rubygems-update	rubygems-update	< 2.5.2.1
Fixed	pkg:gem/rubygems-update	rubygems-update	>= 2.6.13
Affected	pkg:gem/rubygems-update	rubygems-update	< 2.6.13

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date