gsd - gsd-2018-1000079

gsd-2018-1000079

Vulnerability from gsd

Modified

2022-05-14 00:00

Details

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem writing to arbitrary filesystem locations during installation. This attack appears to be exploitable via installation of a malicious gem. This vulnerability is fixed in 2.7.6.

Aliases

CVE-2018-1000079

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2018-1000079",
    "description": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.",
    "id": "GSD-2018-1000079",
    "references": [
      "https://www.suse.com/security/cve/CVE-2018-1000079.html",
      "https://www.debian.org/security/2018/dsa-4259",
      "https://www.debian.org/security/2018/dsa-4219",
      "https://access.redhat.com/errata/RHSA-2020:0663",
      "https://access.redhat.com/errata/RHSA-2020:0591",
      "https://access.redhat.com/errata/RHSA-2020:0542",
      "https://access.redhat.com/errata/RHSA-2019:2028",
      "https://access.redhat.com/errata/RHSA-2018:3731",
      "https://access.redhat.com/errata/RHSA-2018:3730",
      "https://access.redhat.com/errata/RHSA-2018:3729",
      "https://ubuntu.com/security/CVE-2018-1000079",
      "https://advisories.mageia.org/CVE-2018-1000079.html",
      "https://alas.aws.amazon.com/cve/html/CVE-2018-1000079.html",
      "https://linux.oracle.com/cve/CVE-2018-1000079.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "rubygems-update",
            "purl": "pkg:gem/rubygems-update"
          }
        }
      ],
      "aliases": [
        "CVE-2018-1000079",
        "GHSA-8qxg-mff5-j3wc"
      ],
      "details": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:\n2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and\nearlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability\nin gem installation that can result in the gem writing to arbitrary filesystem locations\nduring installation. This attack appears to be exploitable via installation of a\nmalicious gem. This vulnerability is fixed in 2.7.6.\n",
      "id": "GSD-2018-1000079",
      "modified": "2022-05-14T00:00:00.000Z",
      "published": "2022-05-14T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099"
        },
        {
          "type": "WEB",
          "url": "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759"
        },
        {
          "type": "WEB",
          "url": "https://access.redhat.com/errata/RHSA-2018:3729"
        },
        {
          "type": "WEB",
          "url": "https://access.redhat.com/errata/RHSA-2018:3730"
        },
        {
          "type": "WEB",
          "url": "https://access.redhat.com/errata/RHSA-2018:3731"
        },
        {
          "type": "WEB",
          "url": "https://access.redhat.com/errata/RHSA-2019:2028"
        },
        {
          "type": "WEB",
          "url": "https://access.redhat.com/errata/RHSA-2020:0542"
        },
        {
          "type": "WEB",
          "url": "https://access.redhat.com/errata/RHSA-2020:0591"
        },
        {
          "type": "WEB",
          "url": "https://access.redhat.com/errata/RHSA-2020:0663"
        },
        {
          "type": "WEB",
          "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
        },
        {
          "type": "WEB",
          "url": "https://usn.ubuntu.com/3621-1/"
        },
        {
          "type": "WEB",
          "url": "https://www.debian.org/security/2018/dsa-4219"
        },
        {
          "type": "WEB",
          "url": "https://www.debian.org/security/2018/dsa-4259"
        },
        {
          "type": "WEB",
          "url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html"
        },
        {
          "type": "WEB",
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"
        },
        {
          "type": "WEB",
          "url": "https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7"
        },
        {
          "type": "WEB",
          "url": "https://github.com/rubygems/rubygems/commit/5971b486d4dbb2bad5d3445b3801c456eb0ce183"
        },
        {
          "type": "WEB",
          "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778"
        },
        {
          "type": "WEB",
          "url": "https://security-tracker.debian.org/tracker/CVE-2018-1000079"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 5.5,
          "type": "CVSS_V3"
        }
      ],
      "summary": "RubyGems Path Traversal vulnerability"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "DATE_ASSIGNED": "2/18/2018 8:11:09",
        "ID": "CVE-2018-1000079",
        "REQUESTER": "craig.ingram@salesforce.com",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "DSA-4219",
            "refsource": "DEBIAN",
            "url": "https://www.debian.org/security/2018/dsa-4219"
          },
          {
            "name": "USN-3621-1",
            "refsource": "UBUNTU",
            "url": "https://usn.ubuntu.com/3621-1/"
          },
          {
            "name": "RHSA-2018:3729",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2018:3729"
          },
          {
            "name": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099",
            "refsource": "MISC",
            "url": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099"
          },
          {
            "name": "RHSA-2018:3730",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2018:3730"
          },
          {
            "name": "RHSA-2018:3731",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2018:3731"
          },
          {
            "name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
          },
          {
            "name": "DSA-4259",
            "refsource": "DEBIAN",
            "url": "https://www.debian.org/security/2018/dsa-4259"
          },
          {
            "name": "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759",
            "refsource": "MISC",
            "url": "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759"
          },
          {
            "name": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html",
            "refsource": "MISC",
            "url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html"
          },
          {
            "name": "openSUSE-SU-2019:1771",
            "refsource": "SUSE",
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"
          },
          {
            "name": "RHSA-2019:2028",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2019:2028"
          },
          {
            "name": "RHSA-2020:0542",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2020:0542"
          },
          {
            "name": "RHSA-2020:0591",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2020:0591"
          },
          {
            "name": "RHSA-2020:0663",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2020:0663"
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2018-1000079",
      "cvss_v3": 5.5,
      "date": "2022-05-14",
      "description": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:\n2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and\nearlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability\nin gem installation that can result in the gem writing to arbitrary filesystem locations\nduring installation. This attack appears to be exploitable via installation of a\nmalicious gem. This vulnerability is fixed in 2.7.6.\n",
      "gem": "rubygems-update",
      "ghsa": "8qxg-mff5-j3wc",
      "patched_versions": [
        "\u003e= 2.7.6"
      ],
      "related": {
        "url": [
          "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759",
          "https://access.redhat.com/errata/RHSA-2018:3729",
          "https://access.redhat.com/errata/RHSA-2018:3730",
          "https://access.redhat.com/errata/RHSA-2018:3731",
          "https://access.redhat.com/errata/RHSA-2019:2028",
          "https://access.redhat.com/errata/RHSA-2020:0542",
          "https://access.redhat.com/errata/RHSA-2020:0591",
          "https://access.redhat.com/errata/RHSA-2020:0663",
          "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html",
          "https://usn.ubuntu.com/3621-1/",
          "https://www.debian.org/security/2018/dsa-4219",
          "https://www.debian.org/security/2018/dsa-4259",
          "http://blog.rubygems.org/2018/02/15/2.7.6-released.html",
          "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html",
          "https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7",
          "https://github.com/rubygems/rubygems/commit/5971b486d4dbb2bad5d3445b3801c456eb0ce183",
          "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778",
          "https://security-tracker.debian.org/tracker/CVE-2018-1000079"
        ]
      },
      "title": "RubyGems Path Traversal vulnerability",
      "url": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e2.2.9 \u003c=2.5.0",
          "affected_versions": "All versions after 2.2.9 up to 2.5.0",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-22",
            "CWE-937"
          ],
          "date": "2018-11-30",
          "description": "RubyGems contains a Directory Traversal vulnerability in gem installation that can result in the gem being able to write to arbitrary filesystem locations during installation. This attack appears to be exploitable by a victim installing a malicious gem.",
          "fixed_versions": [
            "2.5.1"
          ],
          "identifier": "CVE-2018-1000079",
          "identifiers": [
            "CVE-2018-1000079"
          ],
          "not_impacted": "All versions up to 2.2.9, all versions after 2.5.0",
          "package_slug": "gem/rubygems-update",
          "pubdate": "2018-03-13",
          "solution": "Upgrade to version 2.5.1 or above.",
          "title": "Path Traversal",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2018-1000079",
            "http://blog.rubygems.org/2018/02/15/2.7.6-released.html"
          ],
          "uuid": "bab32120-5af7-4031-ad8b-f4f7a28cb972"
        },
        {
          "affected_range": "(,9.1.16.0)",
          "affected_versions": "All versions before 9.1.16.0",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-22",
            "CWE-937"
          ],
          "date": "2023-03-10",
          "description": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.",
          "fixed_versions": [
            "9.1.16.0"
          ],
          "identifier": "CVE-2018-1000079",
          "identifiers": [
            "GHSA-8qxg-mff5-j3wc",
            "CVE-2018-1000079"
          ],
          "not_impacted": "All versions starting from 9.1.16.0",
          "package_slug": "maven/org.jruby/jruby-stdlib",
          "pubdate": "2022-05-14",
          "solution": "Upgrade to version 9.1.16.0 or above.",
          "title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2018-1000079",
            "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099",
            "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759",
            "https://access.redhat.com/errata/RHSA-2018:3729",
            "https://access.redhat.com/errata/RHSA-2018:3730",
            "https://access.redhat.com/errata/RHSA-2018:3731",
            "https://access.redhat.com/errata/RHSA-2019:2028",
            "https://access.redhat.com/errata/RHSA-2020:0542",
            "https://access.redhat.com/errata/RHSA-2020:0591",
            "https://access.redhat.com/errata/RHSA-2020:0663",
            "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html",
            "https://usn.ubuntu.com/3621-1/",
            "https://www.debian.org/security/2018/dsa-4219",
            "https://www.debian.org/security/2018/dsa-4259",
            "http://blog.rubygems.org/2018/02/15/2.7.6-released.html",
            "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html",
            "https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7",
            "https://github.com/rubygems/rubygems/commit/5971b486d4dbb2bad5d3445b3801c456eb0ce183",
            "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778",
            "https://security-tracker.debian.org/tracker/CVE-2018-1000079",
            "https://github.com/advisories/GHSA-8qxg-mff5-j3wc"
          ],
          "uuid": "a7b78a38-5efa-4682-a2c0-87c33db63da5"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.2.9",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.3.6",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.4.3",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.5.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-1000079"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-22"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759"
            },
            {
              "name": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099"
            },
            {
              "name": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html"
            },
            {
              "name": "USN-3621-1",
              "refsource": "UBUNTU",
              "tags": [],
              "url": "https://usn.ubuntu.com/3621-1/"
            },
            {
              "name": "DSA-4219",
              "refsource": "DEBIAN",
              "tags": [],
              "url": "https://www.debian.org/security/2018/dsa-4219"
            },
            {
              "name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
            },
            {
              "name": "DSA-4259",
              "refsource": "DEBIAN",
              "tags": [],
              "url": "https://www.debian.org/security/2018/dsa-4259"
            },
            {
              "name": "RHSA-2018:3731",
              "refsource": "REDHAT",
              "tags": [],
              "url": "https://access.redhat.com/errata/RHSA-2018:3731"
            },
            {
              "name": "RHSA-2018:3730",
              "refsource": "REDHAT",
              "tags": [],
              "url": "https://access.redhat.com/errata/RHSA-2018:3730"
            },
            {
              "name": "RHSA-2018:3729",
              "refsource": "REDHAT",
              "tags": [],
              "url": "https://access.redhat.com/errata/RHSA-2018:3729"
            },
            {
              "name": "openSUSE-SU-2019:1771",
              "refsource": "SUSE",
              "tags": [],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"
            },
            {
              "name": "RHSA-2019:2028",
              "refsource": "REDHAT",
              "tags": [],
              "url": "https://access.redhat.com/errata/RHSA-2019:2028"
            },
            {
              "name": "RHSA-2020:0542",
              "refsource": "REDHAT",
              "tags": [],
              "url": "https://access.redhat.com/errata/RHSA-2020:0542"
            },
            {
              "name": "RHSA-2020:0591",
              "refsource": "REDHAT",
              "tags": [],
              "url": "https://access.redhat.com/errata/RHSA-2020:0591"
            },
            {
              "name": "RHSA-2020:0663",
              "refsource": "REDHAT",
              "tags": [],
              "url": "https://access.redhat.com/errata/RHSA-2020:0663"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 1.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2018-11-30T11:29Z",
      "publishedDate": "2018-03-13T15:29Z"
    }
  }
}

ghsa-8qxg-mff5-j3wc

Vulnerability from github

Published

2022-05-14 01:54

Modified

2023-03-10 02:32

Severity ?

5.5 (Medium) - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Summary

RubyGems Path Traversal vulnerability

Details

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "rubygems-update"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.7.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jruby:jruby-stdlib"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.1.16.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-1000079"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-10T02:32:15Z",
    "nvd_published_at": "2018-03-13T15:29:00Z",
    "severity": "MODERATE"
  },
  "details": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem writing to arbitrary filesystem locations during installation. This attack appears to be exploitable via installation of a malicious gem. This vulnerability is fixed in 2.7.6.",
  "id": "GHSA-8qxg-mff5-j3wc",
  "modified": "2023-03-10T02:32:15Z",
  "published": "2022-05-14T01:54:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000079"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubygems/rubygems/commit/5971b486d4dbb2bad5d3445b3801c456eb0ce183"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4259"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4219"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3621-1"
    },
    {
      "type": "WEB",
      "url": "https://security-tracker.debian.org/tracker/CVE-2018-1000079"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
    },
    {
      "type": "WEB",
      "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:0663"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:0591"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:0542"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:2028"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:3731"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:3730"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:3729"
    },
    {
      "type": "WEB",
      "url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "RubyGems Path Traversal vulnerability"
}

cve-2018-1000079

Vulnerability from cvelistv5

Published

2018-03-13 15:00

Modified

2024-08-05 12:33

Severity ?

Summary

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.

References

▼	URL	Tags
	https://www.debian.org/security/2018/dsa-4219	vendor-advisory, x_refsource_DEBIAN
	https://usn.ubuntu.com/3621-1/	vendor-advisory, x_refsource_UBUNTU
	https://access.redhat.com/errata/RHSA-2018:3729	vendor-advisory, x_refsource_REDHAT
	https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099	x_refsource_MISC
	https://access.redhat.com/errata/RHSA-2018:3730	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2018:3731	vendor-advisory, x_refsource_REDHAT
	https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html	mailing-list, x_refsource_MLIST
	https://www.debian.org/security/2018/dsa-4259	vendor-advisory, x_refsource_DEBIAN
	https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759	x_refsource_MISC
	http://blog.rubygems.org/2018/02/15/2.7.6-released.html	x_refsource_MISC
	http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html	vendor-advisory, x_refsource_SUSE
	https://access.redhat.com/errata/RHSA-2019:2028	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0542	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0591	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0663	vendor-advisory, x_refsource_REDHAT

Impacted products

Vendor

Product

Version

▼

n/a

Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T12:33:49.201Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "DSA-4219",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2018/dsa-4219"
          },
          {
            "name": "USN-3621-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3621-1/"
          },
          {
            "name": "RHSA-2018:3729",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:3729"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099"
          },
          {
            "name": "RHSA-2018:3730",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:3730"
          },
          {
            "name": "RHSA-2018:3731",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:3731"
          },
          {
            "name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
          },
          {
            "name": "DSA-4259",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2018/dsa-4259"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html"
          },
          {
            "name": "openSUSE-SU-2019:1771",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"
          },
          {
            "name": "RHSA-2019:2028",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2028"
          },
          {
            "name": "RHSA-2020:0542",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0542"
          },
          {
            "name": "RHSA-2020:0591",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0591"
          },
          {
            "name": "RHSA-2020:0663",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0663"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "dateAssigned": "2018-02-18T00:00:00",
      "datePublic": "2018-03-13T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-03-03T18:06:18",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "DSA-4219",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2018/dsa-4219"
        },
        {
          "name": "USN-3621-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3621-1/"
        },
        {
          "name": "RHSA-2018:3729",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:3729"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099"
        },
        {
          "name": "RHSA-2018:3730",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:3730"
        },
        {
          "name": "RHSA-2018:3731",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:3731"
        },
        {
          "name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
        },
        {
          "name": "DSA-4259",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2018/dsa-4259"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html"
        },
        {
          "name": "openSUSE-SU-2019:1771",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"
        },
        {
          "name": "RHSA-2019:2028",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2028"
        },
        {
          "name": "RHSA-2020:0542",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0542"
        },
        {
          "name": "RHSA-2020:0591",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0591"
        },
        {
          "name": "RHSA-2020:0663",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0663"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "DATE_ASSIGNED": "2/18/2018 8:11:09",
          "ID": "CVE-2018-1000079",
          "REQUESTER": "craig.ingram@salesforce.com",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "DSA-4219",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2018/dsa-4219"
            },
            {
              "name": "USN-3621-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3621-1/"
            },
            {
              "name": "RHSA-2018:3729",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:3729"
            },
            {
              "name": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099",
              "refsource": "MISC",
              "url": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099"
            },
            {
              "name": "RHSA-2018:3730",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:3730"
            },
            {
              "name": "RHSA-2018:3731",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:3731"
            },
            {
              "name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
            },
            {
              "name": "DSA-4259",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2018/dsa-4259"
            },
            {
              "name": "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759",
              "refsource": "MISC",
              "url": "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759"
            },
            {
              "name": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html",
              "refsource": "MISC",
              "url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html"
            },
            {
              "name": "openSUSE-SU-2019:1771",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"
            },
            {
              "name": "RHSA-2019:2028",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2028"
            },
            {
              "name": "RHSA-2020:0542",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0542"
            },
            {
              "name": "RHSA-2020:0591",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0591"
            },
            {
              "name": "RHSA-2020:0663",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0663"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-1000079",
    "datePublished": "2018-03-13T15:00:00",
    "dateReserved": "2018-02-21T00:00:00",
    "dateUpdated": "2024-08-05T12:33:49.201Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

gsd-2018-1000079

Vulnerability from gsd

ghsa-8qxg-mff5-j3wc

Vulnerability from github

cve-2018-1000079

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature