Malicious Gem Specifications in RubyGems Affect Ruby Software
CVE-2017-0899

9.8CRITICAL

Key Information:

Vendor: Hackerone
Status: Rubygems
Vendor: CVE Published:; 31 August 2017

What is CVE-2017-0899?

RubyGems versions prior to 2.6.13 are susceptible to vulnerabilities due to crafted gem specifications that can contain terminal escape characters. When such specifications are processed, they can unintentionally execute terminal escape sequences, potentially allowing attackers to influence the behavior of the system. This risk emphasizes the importance of maintaining up-to-date software to mitigate exploitation possibilities.

Affected Version(s)

RubyGems Versions before 2.6.13

References

https://access.redhat.com/errata/RHSA-2018:0585

vendor-advisoryx_refsource_REDHAT

https://www.debian.org/security/2017/dsa-3966

vendor-advisoryx_refsource_DEBIAN

https://access.redhat.com/errata/RHSA-2018:0378

vendor-advisoryx_refsource_REDHAT

EPSS Score

6% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 31, 2017
Vulnerability Reserved
Nov 30, 2016

Hackerone

What is CVE-2017-0899?

Affected Version(s)

References

EPSS Score

CVSS V3.1

Timeline