Action not permitted
Modal body text goes here.
Modal Title
Modal Body
GHSA-8qxg-mff5-j3wc
Vulnerability from github
Published
2022-05-14 01:54
Modified
2023-03-10 02:32
Severity ?
Summary
RubyGems Path Traversal vulnerability
Details
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem writing to arbitrary filesystem locations during installation. This attack appears to be exploitable via installation of a malicious gem. This vulnerability is fixed in 2.7.6.
{ "affected": [ { "package": { "ecosystem": "RubyGems", "name": "rubygems-update" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "2.7.6" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.jruby:jruby-stdlib" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "9.1.16.0" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2018-1000079" ], "database_specific": { "cwe_ids": [ "CWE-22" ], "github_reviewed": true, "github_reviewed_at": "2023-03-10T02:32:15Z", "nvd_published_at": "2018-03-13T15:29:00Z", "severity": "MODERATE" }, "details": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem writing to arbitrary filesystem locations during installation. This attack appears to be exploitable via installation of a malicious gem. This vulnerability is fixed in 2.7.6.", "id": "GHSA-8qxg-mff5-j3wc", "modified": "2023-03-10T02:32:15Z", "published": "2022-05-14T01:54:40Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000079" }, { "type": "WEB", "url": "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759" }, { "type": "WEB", "url": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099" }, { "type": "WEB", "url": "https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7" }, { "type": "WEB", "url": "https://github.com/rubygems/rubygems/commit/5971b486d4dbb2bad5d3445b3801c456eb0ce183" }, { "type": "WEB", "url": "https://www.debian.org/security/2018/dsa-4259" }, { "type": "WEB", "url": "https://www.debian.org/security/2018/dsa-4219" }, { "type": "WEB", "url": "https://usn.ubuntu.com/3621-1" }, { "type": "WEB", "url": "https://security-tracker.debian.org/tracker/CVE-2018-1000079" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html" }, { "type": "WEB", "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0663" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0591" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0542" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2028" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:3731" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:3730" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:3729" }, { "type": "WEB", "url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "type": "CVSS_V3" } ], "summary": "RubyGems Path Traversal vulnerability" }
gsd-2018-1000079
Vulnerability from gsd
Modified
2022-05-14 00:00
Details
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and
earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability
in gem installation that can result in the gem writing to arbitrary filesystem locations
during installation. This attack appears to be exploitable via installation of a
malicious gem. This vulnerability is fixed in 2.7.6.
Aliases
Aliases
{ "GSD": { "alias": "CVE-2018-1000079", "description": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.", "id": "GSD-2018-1000079", "references": [ "https://www.suse.com/security/cve/CVE-2018-1000079.html", "https://www.debian.org/security/2018/dsa-4259", "https://www.debian.org/security/2018/dsa-4219", "https://access.redhat.com/errata/RHSA-2020:0663", "https://access.redhat.com/errata/RHSA-2020:0591", "https://access.redhat.com/errata/RHSA-2020:0542", "https://access.redhat.com/errata/RHSA-2019:2028", "https://access.redhat.com/errata/RHSA-2018:3731", "https://access.redhat.com/errata/RHSA-2018:3730", "https://access.redhat.com/errata/RHSA-2018:3729", "https://ubuntu.com/security/CVE-2018-1000079", "https://advisories.mageia.org/CVE-2018-1000079.html", "https://alas.aws.amazon.com/cve/html/CVE-2018-1000079.html", "https://linux.oracle.com/cve/CVE-2018-1000079.html" ] }, "gsd": { "metadata": { "exploitCode": "unknown", "remediation": "unknown", "reportConfidence": "confirmed", "type": "vulnerability" }, "osvSchema": { "affected": [ { "package": { "ecosystem": "RubyGems", "name": "rubygems-update", "purl": "pkg:gem/rubygems-update" } } ], "aliases": [ "CVE-2018-1000079", "GHSA-8qxg-mff5-j3wc" ], "details": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:\n2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and\nearlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability\nin gem installation that can result in the gem writing to arbitrary filesystem locations\nduring installation. This attack appears to be exploitable via installation of a\nmalicious gem. This vulnerability is fixed in 2.7.6.\n", "id": "GSD-2018-1000079", "modified": "2022-05-14T00:00:00.000Z", "published": "2022-05-14T00:00:00.000Z", "references": [ { "type": "WEB", "url": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099" }, { "type": "WEB", "url": "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:3729" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:3730" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:3731" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2028" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0542" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0591" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0663" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html" }, { "type": "WEB", "url": "https://usn.ubuntu.com/3621-1/" }, { "type": "WEB", "url": "https://www.debian.org/security/2018/dsa-4219" }, { "type": "WEB", "url": "https://www.debian.org/security/2018/dsa-4259" }, { "type": "WEB", "url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html" }, { "type": "WEB", "url": "https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7" }, { "type": "WEB", "url": "https://github.com/rubygems/rubygems/commit/5971b486d4dbb2bad5d3445b3801c456eb0ce183" }, { "type": "WEB", "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778" }, { "type": "WEB", "url": "https://security-tracker.debian.org/tracker/CVE-2018-1000079" } ], "schema_version": "1.4.0", "severity": [ { "score": 5.5, "type": "CVSS_V3" } ], "summary": "RubyGems Path Traversal vulnerability" } }, "namespaces": { "cve.org": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "DATE_ASSIGNED": "2/18/2018 8:11:09", "ID": "CVE-2018-1000079", "REQUESTER": "craig.ingram@salesforce.com", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "DSA-4219", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2018/dsa-4219" }, { "name": "USN-3621-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3621-1/" }, { "name": "RHSA-2018:3729", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:3729" }, { "name": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099", "refsource": "MISC", "url": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099" }, { "name": "RHSA-2018:3730", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:3730" }, { "name": "RHSA-2018:3731", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:3731" }, { "name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html" }, { "name": "DSA-4259", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2018/dsa-4259" }, { "name": "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759", "refsource": "MISC", "url": "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759" }, { "name": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html", "refsource": "MISC", "url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html" }, { "name": "openSUSE-SU-2019:1771", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html" }, { "name": "RHSA-2019:2028", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:2028" }, { "name": "RHSA-2020:0542", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0542" }, { "name": "RHSA-2020:0591", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0591" }, { "name": "RHSA-2020:0663", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0663" } ] } }, "github.com/rubysec/ruby-advisory-db": { "cve": "2018-1000079", "cvss_v3": 5.5, "date": "2022-05-14", "description": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:\n2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and\nearlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability\nin gem installation that can result in the gem writing to arbitrary filesystem locations\nduring installation. This attack appears to be exploitable via installation of a\nmalicious gem. This vulnerability is fixed in 2.7.6.\n", "gem": "rubygems-update", "ghsa": "8qxg-mff5-j3wc", "patched_versions": [ "\u003e= 2.7.6" ], "related": { "url": [ "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759", "https://access.redhat.com/errata/RHSA-2018:3729", "https://access.redhat.com/errata/RHSA-2018:3730", "https://access.redhat.com/errata/RHSA-2018:3731", "https://access.redhat.com/errata/RHSA-2019:2028", "https://access.redhat.com/errata/RHSA-2020:0542", "https://access.redhat.com/errata/RHSA-2020:0591", "https://access.redhat.com/errata/RHSA-2020:0663", "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html", "https://usn.ubuntu.com/3621-1/", "https://www.debian.org/security/2018/dsa-4219", "https://www.debian.org/security/2018/dsa-4259", "http://blog.rubygems.org/2018/02/15/2.7.6-released.html", "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html", "https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7", "https://github.com/rubygems/rubygems/commit/5971b486d4dbb2bad5d3445b3801c456eb0ce183", "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778", "https://security-tracker.debian.org/tracker/CVE-2018-1000079" ] }, "title": "RubyGems Path Traversal vulnerability", "url": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099" }, "gitlab.com": { "advisories": [ { "affected_range": "\u003e2.2.9 \u003c=2.5.0", "affected_versions": "All versions after 2.2.9 up to 2.5.0", "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "cvss_v3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "cwe_ids": [ "CWE-1035", "CWE-22", "CWE-937" ], "date": "2018-11-30", "description": "RubyGems contains a Directory Traversal vulnerability in gem installation that can result in the gem being able to write to arbitrary filesystem locations during installation. This attack appears to be exploitable by a victim installing a malicious gem.", "fixed_versions": [ "2.5.1" ], "identifier": "CVE-2018-1000079", "identifiers": [ "CVE-2018-1000079" ], "not_impacted": "All versions up to 2.2.9, all versions after 2.5.0", "package_slug": "gem/rubygems-update", "pubdate": "2018-03-13", "solution": "Upgrade to version 2.5.1 or above.", "title": "Path Traversal", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2018-1000079", "http://blog.rubygems.org/2018/02/15/2.7.6-released.html" ], "uuid": "bab32120-5af7-4031-ad8b-f4f7a28cb972" }, { "affected_range": "(,9.1.16.0)", "affected_versions": "All versions before 9.1.16.0", "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "cvss_v3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "cwe_ids": [ "CWE-1035", "CWE-22", "CWE-937" ], "date": "2023-03-10", "description": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.", "fixed_versions": [ "9.1.16.0" ], "identifier": "CVE-2018-1000079", "identifiers": [ "GHSA-8qxg-mff5-j3wc", "CVE-2018-1000079" ], "not_impacted": "All versions starting from 9.1.16.0", "package_slug": "maven/org.jruby/jruby-stdlib", "pubdate": "2022-05-14", "solution": "Upgrade to version 9.1.16.0 or above.", "title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2018-1000079", "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099", "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759", "https://access.redhat.com/errata/RHSA-2018:3729", "https://access.redhat.com/errata/RHSA-2018:3730", "https://access.redhat.com/errata/RHSA-2018:3731", "https://access.redhat.com/errata/RHSA-2019:2028", "https://access.redhat.com/errata/RHSA-2020:0542", "https://access.redhat.com/errata/RHSA-2020:0591", "https://access.redhat.com/errata/RHSA-2020:0663", "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html", "https://usn.ubuntu.com/3621-1/", "https://www.debian.org/security/2018/dsa-4219", "https://www.debian.org/security/2018/dsa-4259", "http://blog.rubygems.org/2018/02/15/2.7.6-released.html", "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html", "https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7", "https://github.com/rubygems/rubygems/commit/5971b486d4dbb2bad5d3445b3801c456eb0ce183", "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778", "https://security-tracker.debian.org/tracker/CVE-2018-1000079", "https://github.com/advisories/GHSA-8qxg-mff5-j3wc" ], "uuid": "a7b78a38-5efa-4682-a2c0-87c33db63da5" } ] }, "nvd.nist.gov": { "configurations": { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "2.2.9", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "2.3.6", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "2.4.3", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "2.5.0", "vulnerable": true } ], "operator": "OR" } ] }, "cve": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-1000079" }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "en", "value": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "en", "value": "CWE-22" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759", "refsource": "MISC", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759" }, { "name": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099", "refsource": "MISC", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099" }, { "name": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html", "refsource": "MISC", "tags": [ "Vendor Advisory" ], "url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html" }, { "name": "USN-3621-1", "refsource": "UBUNTU", "tags": [], "url": "https://usn.ubuntu.com/3621-1/" }, { "name": "DSA-4219", "refsource": "DEBIAN", "tags": [], "url": "https://www.debian.org/security/2018/dsa-4219" }, { "name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update", "refsource": "MLIST", "tags": [], "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html" }, { "name": "DSA-4259", "refsource": "DEBIAN", "tags": [], "url": "https://www.debian.org/security/2018/dsa-4259" }, { "name": "RHSA-2018:3731", "refsource": "REDHAT", "tags": [], "url": "https://access.redhat.com/errata/RHSA-2018:3731" }, { "name": "RHSA-2018:3730", "refsource": "REDHAT", "tags": [], "url": "https://access.redhat.com/errata/RHSA-2018:3730" }, { "name": "RHSA-2018:3729", "refsource": "REDHAT", "tags": [], "url": "https://access.redhat.com/errata/RHSA-2018:3729" }, { "name": "openSUSE-SU-2019:1771", "refsource": "SUSE", "tags": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html" }, { "name": "RHSA-2019:2028", "refsource": "REDHAT", "tags": [], "url": "https://access.redhat.com/errata/RHSA-2019:2028" }, { "name": "RHSA-2020:0542", "refsource": "REDHAT", "tags": [], "url": "https://access.redhat.com/errata/RHSA-2020:0542" }, { "name": "RHSA-2020:0591", "refsource": "REDHAT", "tags": [], "url": "https://access.redhat.com/errata/RHSA-2020:0591" }, { "name": "RHSA-2020:0663", "refsource": "REDHAT", "tags": [], "url": "https://access.redhat.com/errata/RHSA-2020:0663" } ] } }, "impact": { "baseMetricV2": { "cvssV2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" }, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true }, "baseMetricV3": { "cvssV3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.0" }, "exploitabilityScore": 1.8, "impactScore": 3.6 } }, "lastModifiedDate": "2018-11-30T11:29Z", "publishedDate": "2018-03-13T15:29Z" } } }
cve-2018-1000079
Vulnerability from cvelistv5
Published
2018-03-13 15:00
Modified
2024-08-05 12:33
Severity ?
EPSS score ?
Summary
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T12:33:49.201Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "DSA-4219", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2018/dsa-4219" }, { "name": "USN-3621-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/3621-1/" }, { "name": "RHSA-2018:3729", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2018:3729" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099" }, { "name": "RHSA-2018:3730", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2018:3730" }, { "name": "RHSA-2018:3731", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2018:3731" }, { "name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html" }, { "name": "DSA-4259", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2018/dsa-4259" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html" }, { "name": "openSUSE-SU-2019:1771", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html" }, { "name": "RHSA-2019:2028", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2019:2028" }, { "name": "RHSA-2020:0542", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2020:0542" }, { "name": "RHSA-2020:0591", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2020:0591" }, { "name": "RHSA-2020:0663", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2020:0663" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "dateAssigned": "2018-02-18T00:00:00", "datePublic": "2018-03-13T00:00:00", "descriptions": [ { "lang": "en", "value": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-03-03T18:06:18", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "DSA-4219", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2018/dsa-4219" }, { "name": "USN-3621-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/3621-1/" }, { "name": "RHSA-2018:3729", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2018:3729" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099" }, { "name": "RHSA-2018:3730", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2018:3730" }, { "name": "RHSA-2018:3731", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2018:3731" }, { "name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html" }, { "name": "DSA-4259", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2018/dsa-4259" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759" }, { "tags": [ "x_refsource_MISC" ], "url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html" }, { "name": "openSUSE-SU-2019:1771", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html" }, { "name": "RHSA-2019:2028", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2019:2028" }, { "name": "RHSA-2020:0542", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2020:0542" }, { "name": "RHSA-2020:0591", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2020:0591" }, { "name": "RHSA-2020:0663", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2020:0663" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "DATE_ASSIGNED": "2/18/2018 8:11:09", "ID": "CVE-2018-1000079", "REQUESTER": "craig.ingram@salesforce.com", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "DSA-4219", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2018/dsa-4219" }, { "name": "USN-3621-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3621-1/" }, { "name": "RHSA-2018:3729", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:3729" }, { "name": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099", "refsource": "MISC", "url": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099" }, { "name": "RHSA-2018:3730", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:3730" }, { "name": "RHSA-2018:3731", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:3731" }, { "name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html" }, { "name": "DSA-4259", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2018/dsa-4259" }, { "name": "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759", "refsource": "MISC", "url": "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759" }, { "name": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html", "refsource": "MISC", "url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html" }, { "name": "openSUSE-SU-2019:1771", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html" }, { "name": "RHSA-2019:2028", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:2028" }, { "name": "RHSA-2020:0542", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0542" }, { "name": "RHSA-2020:0591", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0591" }, { "name": "RHSA-2020:0663", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0663" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-1000079", "datePublished": "2018-03-13T15:00:00", "dateReserved": "2018-02-21T00:00:00", "dateUpdated": "2024-08-05T12:33:49.201Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.