CVE-2017-0903

CRITICAL

RubyGems <2.6.14 - RCE

Title source: llm

Description

RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.

References (13)

Core 13

Core References

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/3685-1/

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/3553-1/

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2018:0585

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2018:0378

Third Party Advisory x_refsource_misc

https://hackerone.com/reports/274990

Third Party Advisory vendor-advisory x_refsource_debian

https://www.debian.org/security/2017/dsa-4031

Patch, Third Party Advisory x_refsource_misc

https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49

View Patch ZIP pw:eip

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2017:3485

Vendor Advisory x_refsource_misc

http://blog.rubygems.org/2017/10/09/2.6.14-released.html

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2018:0583

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/101275

Vendor Advisory x_refsource_misc

http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html

Scores

CVSS v3 9.8

EPSS 0.0554

EPSS Percentile 90.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-502

Status published

Products (45)

canonical/ubuntu_linux 14.04

canonical/ubuntu_linux 16.04

canonical/ubuntu_linux 17.10

debian/debian_linux 8.0

debian/debian_linux 9.0

HackerOne/RubyGems Versions >= 2.0.0

redhat/enterprise_linux_desktop 7.0

redhat/enterprise_linux_server 7.0

redhat/enterprise_linux_server_aus 7.4

redhat/enterprise_linux_server_aus 7.6

... and 35 more

Published Oct 11, 2017

Tracked Since Feb 18, 2026