CVE-2018-1000079

MEDIUM

RubyGems <2.7.6 - Path Traversal

Title source: llm
STIX 2.1

Description

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.

References (15)

Core 15
Core References
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2018/dsa-4219
Vendor Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3621-1/
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3729
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3730
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3731
Mailing List mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2018/dsa-4259
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2028
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0542
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0591
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0663

Scores

CVSS v3 5.5
EPSS 0.0032
EPSS Percentile 54.7%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Details

CWE
CWE-22
Status published
Products (3)
org.jruby/jruby-stdlib 0 - 9.1.16.0Maven
rubygems/rubygems < 2.2.9
rubygems/rubygems-update 0 - 2.7.6RubyGems
Published Mar 13, 2018
Tracked Since Feb 18, 2026