Remote Code Execution Vulnerability in RubyGems by Ruby
CVE-2017-0903

9.8CRITICAL

Key Information:

Vendor: Hackerone
Status: Rubygems
Vendor: CVE Published:; 11 October 2017

What is CVE-2017-0903?

RubyGems, a package manager for the Ruby programming language, contains a vulnerability allowing remote code execution due to unsafe YAML deserialization in gem specifications. Versions from 2.0.0 to 2.6.13 can be exploited by specially crafted serialized objects to bypass class whitelists, ultimately enabling attackers to execute arbitrary code on affected systems. Mitigation involves upgrading to a secure version of RubyGems.

Affected Version(s)

RubyGems Versions >= 2.0.0

References

https://usn.ubuntu.com/3685-1/

vendor-advisoryx_refsource_UBUNTU

https://usn.ubuntu.com/3553-1/

vendor-advisoryx_refsource_UBUNTU

https://access.redhat.com/errata/RHSA-2018:0585

vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 11, 2017
Vulnerability Reserved
Nov 30, 2016

Hackerone

What is CVE-2017-0903?

Affected Version(s)

References

CVSS V3.1

Timeline