[RUBYSEC:RUBYGEMS-UPDATE-2018-1000078] RubyGems Cross-site Scripting vulnerability

Severity Medium

Affected Packages 1

Fixed Packages 1

CVEs 1

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and
earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability
in gem server display of homepage attribute that can result in XSS. This attack
requires the victim to browse to a malicious gem on a vulnerable gem server. This
vulnerability is fixed in 2.7.6.

Package	Affected Version
pkg:gem/rubygems-update	< 2.7.6

Package	Fixed Version
pkg:gem/rubygems-update	>= 2.7.6

ID

RUBYSEC:RUBYGEMS-UPDATE-2018-1000078

Severity

medium

URL

https://github.com/rubygems/rubygems/commit/66a28b9275551384fdab45f3591a82d6b59952cb

Published

2022-05-14T00:00:00
(2 years ago)

Modified

2023-05-03T23:49:55
(16 months ago)

Rights

RubySec Security Team

Other Advisories

Source	# ID	URL
Security Advisory	GHSA-87qx-g5wg-mwmj	https://github.com/advisories/GHSA-87qx-g5wg-mwmj
		https://access.redhat.com/errata/RHSA-2018:3729
		https://access.redhat.com/errata/RHSA-2018:3730
		https://access.redhat.com/errata/RHSA-2018:3731
		https://access.redhat.com/errata/RHSA-2019:2028
		https://access.redhat.com/errata/RHSA-2020:0542
		https://access.redhat.com/errata/RHSA-2020:0591
		https://access.redhat.com/errata/RHSA-2020:0663
		https://lists.debian.org/debian-lts-announce/2018/04/msg00000.html
		https://lists.debian.org/debian-lts-announce/2018/04/msg00001.html
		https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
		https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
		https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html
		https://usn.ubuntu.com/3621-1/
		https://www.debian.org/security/2018/dsa-4219
		https://www.debian.org/security/2018/dsa-4259
		http://blog.rubygems.org/2018/02/15/2.7.6-released.html
		http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
		https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7
		https://github.com/rubygems/rubygems/commit/5971b486d4dbb2bad5d3445b3801c456eb0ce183

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Fixed	pkg:gem/rubygems-update		rubygems-update	>= 2.7.6
Affected	pkg:gem/rubygems-update		rubygems-update	< 2.7.6

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date