RubyGems versions 2.6.12 and earlier fail to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.

Affected Packages

RubyGems rubygems-update

Affected versions: 0 (fixed in 2.6.13)

Related CVEs

CVE-2017-0901

Key Information

GHSA ID

GHSA-pm9x-4392-2c2p

Published

May 13, 2022 1:38 AM

Last Modified

March 9, 2023 12:38 AM

CVSS Score

7.5 /10

Primary Ecosystem

RubyGems

Primary Package

rubygems-update

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 30, 2025 6:32 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.