Samuel Giddins

9 exploits Active since Aug 2017
CVE-2017-0901 WRITEUP HIGH WRITEUP
RubyGems < 2.6.13 - Arbitrary File Write via Specification Name Validation Bypass
RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.
CVSS 7.5
CVE-2018-1000079 WRITEUP MEDIUM WRITEUP
RubyGems < 2.2.9, 2.3.6, 2.4.3, 2.5.0 - Directory Traversal via Malicious Gem Installation
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.
CVSS 5.5
CVE-2017-0899 WRITEUP CRITICAL WRITEUP
RubyGems < 2.6.13 - Terminal Escape Sequence Injection via Gem Specification
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.
CVSS 9.8
CVE-2017-0900 WRITEUP HIGH WRITEUP
RubyGems < 2.6.12 - Denial of Service via Malicious Gem Specification
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command.
CVSS 7.5
CVE-2017-0902 WRITEUP HIGH WRITEUP
RubyGems < 2.6.12 - DNS Hijacking via MITM Attack
RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.
CVSS 8.1
CVE-2018-1000075 WRITEUP HIGH WRITEUP
RubyGems < 2.2.9, 2.3.6, 2.4.3, 2.5.0 - Infinite Loop via Negative Size in Tar Header
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop.. This vulnerability appears to have been fixed in 2.7.6.
CVSS 7.5
CVE-2018-1000076 WRITEUP CRITICAL WRITEUP
RubyGems <2.7.6 - Improper Verification of Cryptographic Signature
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.. This vulnerability appears to have been fixed in 2.7.6.
CVSS 9.8
CVE-2022-36073 WRITEUP HIGH WRITEUP
RubyGems.org < 2022-08-31 - Account Takeover via Email Change Confirmation Bypass
RubyGems.org is the Ruby community gem host. A bug in password & email change confirmation code allowed an attacker to change their RubyGems.org account's email to an unowned email address. Having access to an account whose email has been changed could enable an attacker to save API keys for that account, and when a legitimate user attempts to create an account with their email (and has to reset password to gain access) and is granted access to other gems, the attacker would then be able to publish and yank versions of those gems. Commit number 90c9e6aac2d91518b479c51d48275c57de492d4d contains a patch for this issue.
CVSS 8.3
CVE-2023-40165 WRITEUP HIGH WRITEUP
rubygems.org < 2023-08-14 - Unauthenticated Gem Replacement via Insufficient Input Validation
rubygems.org is the Ruby community's primary gem (library) hosting service. Insufficient input validation allowed malicious actors to replace any uploaded gem version that had a platform, version number, or gem name matching `/-\d/`, permanently replacing the legitimate upload in the canonical gem storage bucket, and triggering an immediate CDN purge so that the malicious gem would be served immediately. The maintainers have checked all gems matching the `/-\d/` pattern and can confirm that no unexpected `.gem`s were found. As a result, we believe this vulnerability was _not_ exploited. The easiest way to ensure that a user's applications were not exploited by this vulnerability is to check that all of your downloaded .gems have a checksum that matches the checksum recorded in the RubyGems.org database. RubyGems contributor Maciej Mensfeld wrote a tool to automatically check that all downloaded .gem files match the checksums recorded in the RubyGems.org database. You can use it by running: `bundle add bundler-integrity` followed by `bundle exec bundler-integrity`. Neither this tool nor anything else can prove you were not exploited, but the can assist your investigation by quickly comparing RubyGems API-provided checksums with the checksums of files on your disk. The issue has been patched with improved input validation and the changes are live. No action is required on the part of the user. Users are advised to validate their local gems.
CVSS 7.4