CVE-2017-0901

UNKNOWN

Published 2017-08-31T20:00:00Z

Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2017-0901. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

HackerOne

RubyGems

Affected Versions:

Versions before 2.6.13

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

RubyGems may allow a maliciously crafted gem to overwrite files

GHSA-pm9x-4392-2c2p

Advisory Details

RubyGems versions 2.6.12 and earlier fail to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.

Affected Packages

RubyGems rubygems-update

ECOSYSTEM: ≥0 <2.6.13

CVSS Scoring

CVSS Score

7.5

CVSS Vector


                                    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2017-0901

WEB https://github.com/rubygems/rubygems/commit/ad5c0a53a86ca5b218c7976765c0365b91d22cb2

WEB https://hackerone.com/reports/243156

WEB https://access.redhat.com/errata/RHSA-2017:3485

WEB https://access.redhat.com/errata/RHSA-2018:0378

WEB https://access.redhat.com/errata/RHSA-2018:0583

WEB https://access.redhat.com/errata/RHSA-2018:0585

PACKAGE https://github.com/rubygems/rubygems

WEB https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html

WEB https://security.gentoo.org/glsa/201710-01

WEB https://usn.ubuntu.com/3553-1

WEB https://usn.ubuntu.com/3685-1

WEB https://web.archive.org/web/20170907215801/http://www.securitytracker.com/id/1039249

WEB https://web.archive.org/web/20170915000000*/http://www.securityfocus.com/bid/100580#:~:text=1%20snapshot-,16%3A05%3A26,-Note

WEB https://www.debian.org/security/2017/dsa-3966

WEB https://www.exploit-db.com/exploits/42611

WEB http://blog.rubygems.org/2017/08/27/2.6.13-released.html

Advisory provided by GitHub Security Advisory Database. Published: May 13, 2022, Modified: March 9, 2023

References

https://usn.ubuntu.com/3685-1/

https://usn.ubuntu.com/3553-1/

https://access.redhat.com/errata/RHSA-2018:0585

https://www.debian.org/security/2017/dsa-3966

https://access.redhat.com/errata/RHSA-2018:0378

https://www.exploit-db.com/exploits/42611/

http://www.securitytracker.com/id/1039249

https://hackerone.com/reports/243156

https://access.redhat.com/errata/RHSA-2017:3485

https://github.com/rubygems/rubygems/commit/ad5c0a53a86ca5b218c7976765c0365b91d22cb2

https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html

https://access.redhat.com/errata/RHSA-2018:0583

https://security.gentoo.org/glsa/201710-01

http://www.securityfocus.com/bid/100580

http://blog.rubygems.org/2017/08/27/2.6.13-released.html

Published: 2017-08-31T20:00:00Z

Last Modified: 2024-09-16T20:22:06.483Z

Copied to clipboard!

CVE-2017-0901

Expert Analysis

Description

Available Exploits

Related News

Affected Products

RubyGems

Affected Versions:

GitHub Security Advisories

RubyGems may allow a maliciously crafted gem to overwrite files

Advisory Details

Affected Packages

CVSS Scoring

CVSS Score

CVSS Vector

References

References

Request Analysis

What to expect

Request Received!