Lucene search

[email protected]CVE-2018-1000078

HistoryMar 13, 2018 - 3:29 p.m.

CVE-2018-1000078

2018-03-1315:29:00

CWE-79

[email protected]

web.nvd.nist.gov

164

cve-2018-1000078

rubygems

xss

vulnerability

gem server

homepage display

nvd

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

7.1 High

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.006 Low

EPSS

Percentile

78.2%

JSON

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server. This vulnerability appears to have been fixed in 2.7.6.

CPENameOperatorVersion
rubygems:rubygemsrubygemsle2.2.9
rubygems:rubygemsrubygemsle2.3.6
rubygems:rubygemsrubygemsle2.4.3
rubygems:rubygemsrubygemsle2.5.0
debian:debian_linuxdebian debian linuxeq7.0

CPE	Name	Operator	Version
rubygems:rubygems	rubygems	le	2.2.9
rubygems:rubygems	rubygems	le	2.3.6
rubygems:rubygems	rubygems	le	2.4.3
rubygems:rubygems	rubygems	le	2.5.0
debian:debian_linux	debian debian linux	eq	7.0