Medium: rubygems

2012-05-2116:48:00

alas.aws.amazon.com

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

EPSS

0.004

Percentile

74.0%

JSON

Issue Overview:

RubyGems before 1.8.23 can redirect HTTPS connections to HTTP, which makes it easier for remote attackers to observe or modify a gem during installation via a man-in-the-middle attack.

Affected Packages:

rubygems

Issue Correction:
Run yum update rubygems to update your system.

New Packages:

noarch:  
    rubygems-devel-1.8.11-3.1.amzn1.noarch  
    rubygems-1.8.11-3.1.amzn1.noarch  
  
src:  
    rubygems-1.8.11-3.1.amzn1.src

Additional References

Red Hat: CVE-2012-2125

Mitre: CVE-2012-2125

OSVersionArchitecturePackageVersionFilename
Amazon Linux1noarchrubygems-devel< 1.8.11-3.1.amzn1rubygems-devel-1.8.11-3.1.amzn1.noarch.rpm
Amazon Linux1noarchrubygems< 1.8.11-3.1.amzn1rubygems-1.8.11-3.1.amzn1.noarch.rpm

OS	Version	Architecture	Package	Version	Filename
Amazon Linux	1	noarch	rubygems-devel	< 1.8.11-3.1.amzn1	rubygems-devel-1.8.11-3.1.amzn1.noarch.rpm
Amazon Linux	1	noarch	rubygems	< 1.8.11-3.1.amzn1	rubygems-1.8.11-3.1.amzn1.noarch.rpm