CVE-2018-1000073

HIGH

RubyGems <2.7.6 - Path Traversal

Title source: llm
STIX 2.1

Description

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6.

References (14)

Core 14
Core References
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2018/dsa-4219
Vendor Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3621-1/
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3729
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3730
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3731
Mailing List mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/08/msg00028.html
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2018/dsa-4259
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2028
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0542
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0591
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0663

Scores

CVSS v3 7.5
EPSS 0.0106
EPSS Percentile 77.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-59
Status published
Products (3)
org.jruby/jruby-stdlib 0 - 9.1.16.0Maven
rubygems/rubygems < 2.2.9
rubygems/rubygems-update 0 - 2.7.6RubyGems
Published Mar 13, 2018
Tracked Since Feb 18, 2026