CVE-2007-0469
RubyGems < 0.9.1 - Arbitrary File Overwrite via Crafted GEM Package
Title source: llmDescription
The extract_files function in installer.rb in RubyGems before 0.9.1 does not check whether files exist before overwriting them, which allows user-assisted remote attackers to overwrite arbitrary files, cause a denial of service, or execute arbitrary code via crafted GEM packages.
References (6)
Core 6
Core References
Patch, Vendor Advisory x_refsource_confirm
http://rubyforge.org/frs/shownotes.php?release_id=9074
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/31688
Vendor Advisory vendor-advisory
x_refsource_suse
http://www.novell.com/linux/security/advisories/2007_4_sr.html
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/458128/100/0/threaded
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2007/0295
Mailing List mailing-list
x_refsource_fulldisc
http://marc.info/?l=full-disclosure&m=116939816621060&w=2
Scores
EPSS
0.0659
EPSS Percentile
91.3%
Details
Status
published
Products (3)
rubyforge/rubygems
0.8.11
rubyforge/rubygems
< 0.9.0
rubygems/rubygems-update
0 - 0.9.1RubyGems
Published
Jan 24, 2007
Tracked Since
Feb 18, 2026