CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS
Percentile
83.9%
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6
and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and
earlier, prior to trunk revision 62422 contains a Directory Traversal
vulnerability in gem installation that can result in the gem could write to
arbitrary filesystem locations during installation. This attack appear to
be exploitable via the victim must install a malicious gem. This
vulnerability appears to have been fixed in 2.7.6.
Author | Note |
---|---|
tyhicks | ruby{1.9.1,2.0,2.3} and jruby ship an embedded rubygems. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | jruby | < any | UNKNOWN |
ubuntu | 14.04 | noarch | jruby | < any | UNKNOWN |
ubuntu | 16.04 | noarch | jruby | < any | UNKNOWN |
ubuntu | 14.04 | noarch | ruby2.0 | < 2.0.0.484-1ubuntu2.6 | UNKNOWN |
ubuntu | 17.10 | noarch | ruby2.3 | < 2.3.3-1ubuntu1.4 | UNKNOWN |
ubuntu | 16.04 | noarch | ruby2.3 | < 2.3.1-2~16.04.7 | UNKNOWN |
ubuntu | 18.04 | noarch | ruby2.5 | < 2.5.1-1 | UNKNOWN |
ubuntu | 18.10 | noarch | ruby2.5 | < 2.5.1-1 | UNKNOWN |
ubuntu | 19.04 | noarch | ruby2.5 | < 2.5.1-1 | UNKNOWN |
ubuntu | 19.10 | noarch | ruby2.5 | < 2.5.1-1 | UNKNOWN |
github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099
github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759
launchpad.net/bugs/cve/CVE-2018-1000079
nvd.nist.gov/vuln/detail/CVE-2018-1000079
security-tracker.debian.org/tracker/CVE-2018-1000079
ubuntu.com/security/notices/USN-3621-1
www.cve.org/CVERecord?id=CVE-2018-1000079
www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS
Percentile
83.9%