CVE-2018-1000076
CRITICALRubyGems <2.7.6 - Improper Verification of Cryptographic Signature
Title source: llmDescription
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.. This vulnerability appears to have been fixed in 2.7.6.
References (18)
Core 18
Core References
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2018/dsa-4219
Vendor Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/3621-1/
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3729
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3730
Mailing List mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3731
Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/04/msg00001.html
Mailing List mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2018/dsa-4259
Vendor Advisory x_refsource_misc
http://blog.rubygems.org/2018/02/15/2.7.6-released.html
Patch, Third Party Advisory x_refsource_misc
https://github.com/rubygems/rubygems/commit/f5042b879259b1f1ce95a0c5082622c646376693
Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/04/msg00000.html
Mailing List mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2028
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0542
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0591
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0663
Scores
CVSS v3
9.8
EPSS
0.0093
EPSS Percentile
76.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-347
Status
published
Products (4)
debian/debian_linux
7.0
org.jruby/jruby-stdlib
0 - 9.1.16.0Maven
rubygems/rubygems
< 2.2.9
rubygems/rubygems-update
2.2.0 - 2.7.6RubyGems
Published
Mar 13, 2018
Tracked Since
Feb 18, 2026