DNS Hijacking Vulnerability in RubyGems from Ruby
CVE-2017-0902

8.1HIGH

Key Information:

Vendor: Hackerone
Status: Rubygems
Vendor: CVE Published:; 27 August 2017

What is CVE-2017-0902?

RubyGems versions up to 2.6.12 are susceptible to a DNS hijacking vulnerability that permits a man-in-the-middle (MITM) attacker to redirect the RubyGems client. This flaw enables attackers to force the application to download and install gems from a compromised server instead of the legitimate RubyGems repository, posing a significant risk of delivering malicious code to end-users.

Affected Version(s)

RubyGems Versions before 2.6.13

References

https://usn.ubuntu.com/3685-1/

vendor-advisoryx_refsource_UBUNTU

https://usn.ubuntu.com/3553-1/

vendor-advisoryx_refsource_UBUNTU

https://access.redhat.com/errata/RHSA-2018:0585

vendor-advisoryx_refsource_REDHAT

EPSS Score

6% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 27, 2017
Vulnerability Reserved
Nov 30, 2016

Hackerone

What is CVE-2017-0902?

Affected Version(s)

References

EPSS Score

CVSS V3.1

Timeline