CVE-2018-1000079

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.

Link	Resource
https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759	Patch Third Party Advisory
https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099	Patch Third Party Advisory
http://blog.rubygems.org/2018/02/15/2.7.6-released.html	Vendor Advisory
https://usn.ubuntu.com/3621-1/
https://www.debian.org/security/2018/dsa-4219
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
https://www.debian.org/security/2018/dsa-4259
https://access.redhat.com/errata/RHSA-2018:3731
https://access.redhat.com/errata/RHSA-2018:3730
https://access.redhat.com/errata/RHSA-2018:3729
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
https://access.redhat.com/errata/RHSA-2019:2028
https://access.redhat.com/errata/RHSA-2020:0542
https://access.redhat.com/errata/RHSA-2020:0591
https://access.redhat.com/errata/RHSA-2020:0663

Configuration 1

cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:* cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:* cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:* cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*

---

Published : 2018-03-13 03:29

Updated : 2018-11-30 11:29

---

NVD link : CVE-2018-1000079

Mitre link : CVE-2018-1000079

No products.

CWE-22