Lucene search

K

Veracode Vulnerability DatabaseVERACODE:18925

HistoryMay 16, 2019 - 2:16 a.m.

Remote Code Execution (RCE)

2019-05-1602:16:35

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

11

EPSS

0.135

Percentile

95.6%

RubyGems is vulnerable to remote code execution attacks. YAML deserialization of gem specifications can bypass class white lists. A remote, unauthenticated attacker could create specially crafted, serialized objects to be possibly used for remote code execution.

References

blog.rubygems.org/2017/10/09/2.6.14-released.html

blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html

www.securityfocus.com/bid/101275

access.redhat.com/errata/RHSA-2017:3485

access.redhat.com/errata/RHSA-2018:0378

access.redhat.com/errata/RHSA-2018:0583

access.redhat.com/errata/RHSA-2018:0585

access.redhat.com/security/updates/classification/#moderate

bugzilla.redhat.com/show_bug.cgi?id=1506785

github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49

hackerone.com/reports/274990

lists.debian.org/debian-lts-announce/2018/07/msg00012.html

usn.ubuntu.com/3553-1/

usn.ubuntu.com/3685-1/

www.debian.org/security/2017/dsa-4031

EPSS

0.135

Percentile

95.6%

Related for VERACODE:18925

redhatcve1 f51 fedora2 nessus22 prion1 amazon3 debiancve1 nvd1 cve1 openvas14 hackerone1 osv5 cvelist1 rubygems1 github1 freebsd1 zdt1 ubuntucve1 ubuntu3 debian3 mageia1 redhat4 ibm1 oraclelinux1 centos1