File Overwrite Vulnerability in RubyGems by Ruby
CVE-2017-0901

7.5HIGH

Key Information:

Vendor: Hackerone
Status: Rubygems
Vendor: CVE Published:; 31 August 2017

What is CVE-2017-0901?

RubyGems version 2.6.12 and earlier contains a vulnerability where it fails to properly validate gem specification names. This flaw allows attackers to create malicious gems that can overwrite any file on the filesystem. Such exploitation can potentially lead to unauthorized access or disruption of services, highlighting the importance of validating the integrity of gem sources and maintaining updated versions of the software.

Affected Version(s)

RubyGems Versions before 2.6.13

References

https://usn.ubuntu.com/3685-1/

vendor-advisoryx_refsource_UBUNTU

https://usn.ubuntu.com/3553-1/

vendor-advisoryx_refsource_UBUNTU

https://access.redhat.com/errata/RHSA-2018:0585

vendor-advisoryx_refsource_REDHAT

EPSS Score

17% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 31, 2017
Vulnerability Reserved
Nov 30, 2016

Hackerone

What is CVE-2017-0901?

Affected Version(s)

References

EPSS Score

CVSS V3.1

Timeline