CVE-2017-0903

CRITICAL

RubyGems <2.6.14 - RCE

Title source: llm

Description

RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.

References (13)

[Third Party Advisory] https://usn.ubuntu.com/3553-1/

[Vendor Advisory] http://blog.rubygems.org/2017/10/09/2.6.14-released.html

[Vendor Advisory] http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/101275

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:3485

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2018:0378

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2018:0583

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2018:0585

[Patch, Third Party Advisory] https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49

View Patch ZIP pw:eip

[Third Party Advisory] https://hackerone.com/reports/274990

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html

[Third Party Advisory] https://usn.ubuntu.com/3685-1/

[Third Party Advisory] https://www.debian.org/security/2017/dsa-4031

Scores

CVSS v3 9.8

EPSS 0.0462

EPSS Percentile 89.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status draft

Affected Products (50)

rubygems/rubygems

rubygems/rubygems

rubygems/rubygems

rubygems/rubygems

rubygems/rubygems

rubygems/rubygems

rubygems/rubygems

rubygems/rubygems

rubygems/rubygems

rubygems/rubygems

rubygems/rubygems

rubygems/rubygems

rubygems/rubygems

rubygems/rubygems

rubygems/rubygems

... and 35 more

Timeline

Published Oct 11, 2017

Tracked Since Feb 18, 2026