CVE-2017-0901

HIGH

RubyGems <2.6.12 - Code Injection

Title source: llm

Description

RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.

Exploits (1)

exploitdb WORKING POC VERIFIED
by mame · textlocallinux
https://www.exploit-db.com/exploits/42611

References (15)

Scores

CVSS v3 7.5
EPSS 0.1855
EPSS Percentile 95.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-22 CWE-20
Status published
Products (18)
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 17.10
debian/debian_linux 8.0
debian/debian_linux 9.0
HackerOne/RubyGems Versions before 2.6.13
redhat/enterprise_linux_desktop 7.0
redhat/enterprise_linux_server 7.0
redhat/enterprise_linux_server_aus 7.4
redhat/enterprise_linux_server_aus 7.6
... and 8 more
Published Aug 31, 2017
Tracked Since Feb 18, 2026