{"id": "2C8BD00D-ADA2-11E7-82AF-8DBFF7D75206", "bulletinFamily": "unix", "title": "rubygems -- deserialization vulnerability", "description": "\noss-security mailing list:\n\nThere is a possible unsafe object desrialization vulnerability in\n\t RubyGems. It is possible for YAML deserialization of gem specifications\n\t to bypass class white lists. Specially crafted serialized objects can\n\t possibly be used to escalate to remote code execution.\n\n", "published": "2017-10-09T00:00:00", "modified": "2017-10-09T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://vuxml.freebsd.org/freebsd/2c8bd00d-ada2-11e7-82af-8dbff7d75206.html", "reporter": "FreeBSD", "references": ["http://www.openwall.com/lists/oss-security/2017/10/10/2", "http://blog.rubygems.org/2017/10/09/2.6.14-released.html"], "cvelist": ["CVE-2017-0903"], "type": "freebsd", "lastseen": "2019-05-29T18:32:09", "edition": 5, "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0903"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310843725", "OPENVAS:1361412562311220191407", "OPENVAS:1361412562310874041", "OPENVAS:1361412562311220181066", "OPENVAS:1361412562310874125", "OPENVAS:1361412562311220181067", "OPENVAS:1361412562310704031", "OPENVAS:1361412562311220181248", "OPENVAS:1361412562310882847", "OPENVAS:1361412562310843784"]}, {"type": "zdt", "idList": ["1337DAY-ID-28760"]}, {"type": "amazon", "idList": ["ALAS-2018-978", "ALAS-2017-906", "ALAS-2017-915"]}, {"type": "hackerone", "idList": ["H1:274990"]}, {"type": "nessus", "idList": ["EULEROS_SA-2018-1248.NASL", "UBUNTU_USN-3685-1.NASL", "DEBIAN_DSA-4031.NASL", "FEDORA_2018-75E780A7C2.NASL", "ALA_ALAS-2018-978.NASL", "UBUNTU_USN-3553-1.NASL", "ALA_ALAS-2017-915.NASL", "ALA_ALAS-2017-906.NASL", "CENTOS_RHSA-2018-0378.NASL", "FREEBSD_PKG_2C8BD00DADA211E782AF8DBFF7D75206.NASL"]}, {"type": "fedora", "idList": ["FEDORA:25C2160C79BC", "FEDORA:C441860BEEC4"]}, {"type": "ubuntu", "idList": ["USN-3553-1", "USN-3685-1"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4031-1:AC0D9", "DEBIAN:DLA-1421-1:5BC60"]}, {"type": "redhat", "idList": ["RHSA-2017:3485", "RHSA-2018:0378", "RHSA-2018:0585", "RHSA-2018:0583"]}, {"type": "oraclelinux", "idList": ["ELSA-2018-0378"]}, {"type": "centos", "idList": ["CESA-2018:0378"]}], "modified": "2019-05-29T18:32:09", "rev": 2}, "score": {"value": 7.0, "vector": "NONE", "modified": "2019-05-29T18:32:09", "rev": 2}, "vulnersScore": 7.0}, "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "ruby23-gems", "packageVersion": "2.6.14"}, {"OS": "FreeBSD", "OSVersion": "any", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "ruby22-gems", "packageVersion": "2.6.14"}, {"OS": "FreeBSD", "OSVersion": "any", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "ruby24-gems", "packageVersion": "2.6.14"}], "scheme": null}

{"cve": [{"lastseen": "2020-10-03T13:07:30", "description": "RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-10-11T18:29:00", "title": "CVE-2017-0903", "type": "cve", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0903"], "modified": "2019-10-09T23:21:00", "cpe": ["cpe:/a:rubygems:rubygems:2.0.16", "cpe:/o:redhat:enterprise_linux_server_tus:7.6", "cpe:/a:rubygems:rubygems:2.5.2", "cpe:/a:rubygems:rubygems:2.2.5", "cpe:/a:rubygems:rubygems:2.6.5", "cpe:/a:rubygems:rubygems:2.6.2", "cpe:/a:rubygems:rubygems:2.4.8", "cpe:/a:rubygems:rubygems:2.1.0.rc.1", "cpe:/o:redhat:enterprise_linux_server_eus:7.4", "cpe:/o:canonical:ubuntu_linux:17.10", "cpe:/a:rubygems:rubygems:2.0.3", "cpe:/a:rubygems:rubygems:2.4.4", "cpe:/a:rubygems:rubygems:2.0.4", "cpe:/a:rubygems:rubygems:2.6.8", "cpe:/a:rubygems:rubygems:2.4.6", "cpe:/a:rubygems:rubygems:2.5.1", "cpe:/a:rubygems:rubygems:2.4.7", "cpe:/a:rubygems:rubygems:2.0.5", "cpe:/a:rubygems:rubygems:2.0.14", "cpe:/a:rubygems:rubygems:2.1.4", "cpe:/a:rubygems:rubygems:2.1.5", "cpe:/a:rubygems:rubygems:2.1.0.rc.2", "cpe:/a:rubygems:rubygems:2.1.11", "cpe:/a:rubygems:rubygems:2.2.4", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:redhat:enterprise_linux_server_tus:7.4", "cpe:/a:rubygems:rubygems:2.6.0", "cpe:/a:rubygems:rubygems:2.6.6", "cpe:/a:rubygems:rubygems:2.3.0", "cpe:/a:rubygems:rubygems:2.0.10", "cpe:/a:rubygems:rubygems:2.4.2", "cpe:/a:rubygems:rubygems:2.1.3", "cpe:/a:rubygems:rubygems:2.4.1", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/a:rubygems:rubygems:2.6.10", "cpe:/a:rubygems:rubygems:2.4.3", "cpe:/o:redhat:enterprise_linux_server_eus:7.5", "cpe:/a:rubygems:rubygems:2.0.2", "cpe:/a:rubygems:rubygems:2.1.0", "cpe:/a:rubygems:rubygems:2.6.1", "cpe:/a:rubygems:rubygems:2.1.6", "cpe:/a:rubygems:rubygems:2.4.5", "cpe:/a:rubygems:rubygems:2.0.15", "cpe:/o:redhat:enterprise_linux_server_aus:7.4", "cpe:/a:rubygems:rubygems:2.0.13", "cpe:/a:rubygems:rubygems:2.6.7", "cpe:/o:redhat:enterprise_linux_server_aus:7.6", "cpe:/a:rubygems:rubygems:2.0.0", "cpe:/a:rubygems:rubygems:2.0.1", "cpe:/a:rubygems:rubygems:2.6.12", "cpe:/a:rubygems:rubygems:2.6.11", "cpe:/a:rubygems:rubygems:2.6.9", "cpe:/a:rubygems:rubygems:2.1.10", "cpe:/a:rubygems:rubygems:2.5.0", "cpe:/a:rubygems:rubygems:2.0.8", "cpe:/a:rubygems:rubygems:2.6.4", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/a:rubygems:rubygems:2.2.0", "cpe:/a:rubygems:rubygems:2.0.11", "cpe:/a:rubygems:rubygems:2.2.3", "cpe:/a:rubygems:rubygems:2.0.12", "cpe:/a:rubygems:rubygems:2.1.8", "cpe:/a:rubygems:rubygems:2.4.0", "cpe:/a:rubygems:rubygems:2.0.9", "cpe:/a:rubygems:rubygems:2.2.1", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/a:rubygems:rubygems:2.2.2", "cpe:/a:rubygems:rubygems:2.0.17", "cpe:/a:rubygems:rubygems:2.0.6", "cpe:/a:rubygems:rubygems:2.1.7", "cpe:/a:rubygems:rubygems:2.6.13", "cpe:/a:rubygems:rubygems:2.2.0.rc.1", "cpe:/a:rubygems:rubygems:2.1.9", "cpe:/o:redhat:enterprise_linux_server_eus:7.6", "cpe:/a:rubygems:rubygems:2.2.0.preiew.1", "cpe:/a:rubygems:rubygems:2.1.2", "cpe:/a:rubygems:rubygems:2.0.7", "cpe:/a:rubygems:rubygems:2.6.3", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:debian:debian_linux:9.0", "cpe:/a:rubygems:rubygems:2.1.1"], "id": "CVE-2017-0903", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0903", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.6.9:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.6.12:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.1.8:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.1.7:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.1.0.rc.1:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.0.0:preview2:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.6.10:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.0.17:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.6.8:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.0.13:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.0.0:preview2.1:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.3.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.6.11:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.0.5:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.2.0.preiew.1:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.0.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.1.11:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.0.15:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.2.4:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.1.10:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.1.9:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.6.13:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.2.0.rc.1:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.0.14:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.4.8:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.6.6:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.0.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.1.0.rc.2:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.6.4:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.0.10:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.6.3:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.0.0:preview2.2:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.6.7:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.0.8:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.2.3:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.0.12:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.0.16:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.2.1:*:*:*:*:*:*:*"]}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0903"], "description": "Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible. ", "modified": "2018-01-23T21:51:08", "published": "2018-01-23T21:51:08", "id": "FEDORA:C441860BEEC4", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: ruby-2.4.3-86.fc27", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0903"], "description": "Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible. ", "modified": "2018-02-20T16:39:57", "published": "2018-02-20T16:39:57", "id": "FEDORA:25C2160C79BC", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: ruby-2.4.3-86.fc26", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-01T01:20:08", "description": "Unsafe object deserialization through YAML formatted gem\nspecifications :\n\nA vulnerability was found where the rubygems module was vulnerable to\nan unsafe YAML deserialization when inspecting a gem. Applications\ninspecting gem files without installing them can be tricked to execute\narbitrary code in the context of the ruby interpreter. (CVE-2017-0903)", "edition": 22, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-03-27T00:00:00", "title": "Amazon Linux AMI : ruby24 / ruby22,ruby23 (ALAS-2018-978)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0903"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:rubygems22-devel", "p-cpe:/a:amazon:linux:rubygem24-xmlrpc", "p-cpe:/a:amazon:linux:ruby23-debuginfo", "p-cpe:/a:amazon:linux:ruby24", "p-cpe:/a:amazon:linux:rubygem22-io-console", "p-cpe:/a:amazon:linux:rubygem22-bigdecimal", "p-cpe:/a:amazon:linux:ruby22", "p-cpe:/a:amazon:linux:ruby22-devel", "p-cpe:/a:amazon:linux:ruby24-doc", "p-cpe:/a:amazon:linux:rubygem23-io-console", "p-cpe:/a:amazon:linux:rubygems23-devel", "p-cpe:/a:amazon:linux:ruby24-irb", "p-cpe:/a:amazon:linux:rubygem24-did_you_mean", "p-cpe:/a:amazon:linux:ruby24-debuginfo", "p-cpe:/a:amazon:linux:rubygem22-psych", "p-cpe:/a:amazon:linux:ruby23-irb", "p-cpe:/a:amazon:linux:rubygem24-io-console", "p-cpe:/a:amazon:linux:ruby22-irb", "p-cpe:/a:amazon:linux:ruby24-devel", "p-cpe:/a:amazon:linux:rubygems24", "p-cpe:/a:amazon:linux:rubygem23-did_you_mean", "p-cpe:/a:amazon:linux:rubygems23", "p-cpe:/a:amazon:linux:rubygems24-devel", "p-cpe:/a:amazon:linux:rubygems22", "p-cpe:/a:amazon:linux:rubygem23-bigdecimal", "p-cpe:/a:amazon:linux:ruby22-debuginfo", "p-cpe:/a:amazon:linux:ruby22-doc", "p-cpe:/a:amazon:linux:rubygem24-psych", "p-cpe:/a:amazon:linux:ruby23-devel", "p-cpe:/a:amazon:linux:rubygem23-json", "p-cpe:/a:amazon:linux:ruby23-libs", "p-cpe:/a:amazon:linux:rubygem23-psych", "p-cpe:/a:amazon:linux:rubygem24-bigdecimal", "p-cpe:/a:amazon:linux:ruby22-libs", "p-cpe:/a:amazon:linux:rubygem24-json", "p-cpe:/a:amazon:linux:ruby24-libs", "p-cpe:/a:amazon:linux:ruby23", "cpe:/o:amazon:linux", "p-cpe:/a:amazon:linux:ruby23-doc"], "id": "ALA_ALAS-2018-978.NASL", "href": "https://www.tenable.com/plugins/nessus/108603", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2018-978.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108603);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2018/04/18 15:09:36\");\n\n script_cve_id(\"CVE-2017-0903\");\n script_xref(name:\"ALAS\", value:\"2018-978\");\n\n script_name(english:\"Amazon Linux AMI : ruby24 / ruby22,ruby23 (ALAS-2018-978)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Unsafe object deserialization through YAML formatted gem\nspecifications :\n\nA vulnerability was found where the rubygems module was vulnerable to\nan unsafe YAML deserialization when inspecting a gem. Applications\ninspecting gem files without installing them can be tricked to execute\narbitrary code in the context of the ruby interpreter. (CVE-2017-0903)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2018-978.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Run 'yum update ruby24' to update your system.\n\nRun 'yum update ruby22' to update your system.\n\nRun 'yum update ruby23' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby22\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby22-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby22-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby22-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby22-irb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby22-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby23\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby23-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby23-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby23-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby23-irb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby23-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby24\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby24-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby24-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby24-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby24-irb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby24-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem22-bigdecimal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem22-io-console\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem22-psych\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem23-bigdecimal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem23-did_you_mean\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem23-io-console\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem23-json\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem23-psych\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem24-bigdecimal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem24-did_you_mean\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem24-io-console\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem24-json\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem24-psych\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem24-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygems22\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygems22-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygems23\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygems23-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygems24\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygems24-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"ruby22-2.2.9-1.10.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby22-debuginfo-2.2.9-1.10.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby22-devel-2.2.9-1.10.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby22-doc-2.2.9-1.10.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby22-irb-2.2.9-1.10.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby22-libs-2.2.9-1.10.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby23-2.3.6-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby23-debuginfo-2.3.6-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby23-devel-2.3.6-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby23-doc-2.3.6-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby23-irb-2.3.6-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby23-libs-2.3.6-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby24-2.4.3-1.30.5.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby24-debuginfo-2.4.3-1.30.5.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby24-devel-2.4.3-1.30.5.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby24-doc-2.4.3-1.30.5.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby24-irb-2.4.3-1.30.5.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby24-libs-2.4.3-1.30.5.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem22-bigdecimal-1.2.6-1.10.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem22-io-console-0.4.3-1.10.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem22-psych-2.0.8.1-1.10.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem23-bigdecimal-1.2.8-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem23-did_you_mean-1.0.0-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem23-io-console-0.4.5-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem23-json-1.8.3.1-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem23-psych-2.1.0.1-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem24-bigdecimal-1.3.0-1.30.5.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem24-did_you_mean-1.1.0-1.30.5.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem24-io-console-0.4.6-1.30.5.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem24-json-2.0.4-1.30.5.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem24-psych-2.2.2-1.30.5.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem24-xmlrpc-0.2.1-1.30.5.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygems22-2.4.5.2-1.10.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygems22-devel-2.4.5.2-1.10.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygems23-2.5.2.2-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygems23-devel-2.5.2.2-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygems24-2.6.14-1.30.5.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygems24-devel-2.6.14-1.30.5.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ruby22 / ruby22-debuginfo / ruby22-devel / ruby22-doc / ruby22-irb / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T10:48:28", "description": "oss-security mailing list :\n\nThere is a possible unsafe object desrialization vulnerability in\nRubyGems. It is possible for YAML deserialization of gem\nspecifications to bypass class white lists. Specially crafted\nserialized objects can possibly be used to escalate to remote code\nexecution.", "edition": 28, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-10-11T00:00:00", "title": "FreeBSD : rubygems -- deserialization vulnerability (2c8bd00d-ada2-11e7-82af-8dbff7d75206)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0903"], "modified": "2017-10-11T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:ruby23-gems", "p-cpe:/a:freebsd:freebsd:ruby24-gems", "p-cpe:/a:freebsd:freebsd:ruby22-gems"], "id": "FREEBSD_PKG_2C8BD00DADA211E782AF8DBFF7D75206.NASL", "href": "https://www.tenable.com/plugins/nessus/103760", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103760);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-0903\");\n\n script_name(english:\"FreeBSD : rubygems -- deserialization vulnerability (2c8bd00d-ada2-11e7-82af-8dbff7d75206)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"oss-security mailing list :\n\nThere is a possible unsafe object desrialization vulnerability in\nRubyGems. It is possible for YAML deserialization of gem\nspecifications to bypass class white lists. Specially crafted\nserialized objects can possibly be used to escalate to remote code\nexecution.\"\n );\n # http://www.openwall.com/lists/oss-security/2017/10/10/2\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.openwall.com/lists/oss-security/2017/10/10/2\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://blog.rubygems.org/2017/10/09/2.6.14-released.html\"\n );\n # https://vuxml.freebsd.org/freebsd/2c8bd00d-ada2-11e7-82af-8dbff7d75206.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?21ff2e04\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ruby22-gems\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ruby23-gems\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ruby24-gems\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"ruby22-gems<2.6.14\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ruby23-gems<2.6.14\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ruby24-gems<2.6.14\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:18:50", "description": "Update to Ruby 2.4.3.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 17, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-01-24T00:00:00", "title": "Fedora 27 : ruby (2018-75e780a7c2)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0903"], "modified": "2018-01-24T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:27", "p-cpe:/a:fedoraproject:fedora:ruby"], "id": "FEDORA_2018-75E780A7C2.NASL", "href": "https://www.tenable.com/plugins/nessus/106278", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-75e780a7c2.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(106278);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-0903\");\n script_xref(name:\"FEDORA\", value:\"2018-75e780a7c2\");\n\n script_name(english:\"Fedora 27 : ruby (2018-75e780a7c2)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to Ruby 2.4.3.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-75e780a7c2\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected ruby package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:ruby\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:27\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/01/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^27([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 27\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC27\", reference:\"ruby-2.4.3-86.fc27\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ruby\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T06:46:51", "description": "It was discovered that Ruby failed to validate specification names. An\nattacker could possibly use a maliciously crafted gem to potentially\noverwrite any file on the filesystem. (CVE-2017-0901)\n\nIt was discovered that Ruby was vulnerable to a DNS hijacking\nvulnerability. An attacker could use this to possibly force the\nRubyGems client to download and install gems from a server that the\nattacker controls. (CVE-2017-0902)\n\nIt was discovered that Ruby incorrectly handled certain YAML files. An\nattacker could use this to possibly execute arbitrary code.\n(CVE-2017-0903).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-02-01T00:00:00", "title": "Ubuntu 16.04 LTS / 17.10 : ruby2.3 vulnerabilities (USN-3553-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0903", "CVE-2017-0902", "CVE-2017-0901"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:17.10", "p-cpe:/a:canonical:ubuntu_linux:libruby2.3", "cpe:/o:canonical:ubuntu_linux:16.04", "p-cpe:/a:canonical:ubuntu_linux:ruby2.3"], "id": "UBUNTU_USN-3553-1.NASL", "href": "https://www.tenable.com/plugins/nessus/106557", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3553-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(106557);\n script_version(\"3.6\");\n script_cvs_date(\"Date: 2019/09/18 12:31:48\");\n\n script_cve_id(\"CVE-2017-0901\", \"CVE-2017-0902\", \"CVE-2017-0903\");\n script_xref(name:\"USN\", value:\"3553-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS / 17.10 : ruby2.3 vulnerabilities (USN-3553-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that Ruby failed to validate specification names. An\nattacker could possibly use a maliciously crafted gem to potentially\noverwrite any file on the filesystem. (CVE-2017-0901)\n\nIt was discovered that Ruby was vulnerable to a DNS hijacking\nvulnerability. An attacker could use this to possibly force the\nRubyGems client to download and install gems from a server that the\nattacker controls. (CVE-2017-0902)\n\nIt was discovered that Ruby incorrectly handled certain YAML files. An\nattacker could use this to possibly execute arbitrary code.\n(CVE-2017-0903).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3553-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libruby2.3 and / or ruby2.3 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libruby2.3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:ruby2.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:17.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/08/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/01/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/02/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04|17\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04 / 17.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"libruby2.3\", pkgver:\"2.3.1-2~16.04.6\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"ruby2.3\", pkgver:\"2.3.1-2~16.04.6\")) flag++;\nif (ubuntu_check(osver:\"17.10\", pkgname:\"libruby2.3\", pkgver:\"2.3.3-1ubuntu1.3\")) flag++;\nif (ubuntu_check(osver:\"17.10\", pkgname:\"ruby2.3\", pkgver:\"2.3.3-1ubuntu1.3\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libruby2.3 / ruby2.3\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T09:51:04", "description": "Several vulnerabilities have been discovered in the interpreter for\nthe Ruby language. The Common Vulnerabilities and Exposures project\nidentifies the following problems :\n\n - CVE-2017-0898\n aerodudrizzt reported a buffer underrun vulnerability in\n the sprintf method of the Kernel module resulting in\n heap memory corruption or information disclosure from\n the heap.\n\n - CVE-2017-0903\n Max Justicz reported that RubyGems is prone to an unsafe\n object deserialization vulnerability. When parsed by an\n application which processes gems, a specially crafted\n YAML formatted gem specification can lead to remote code\n execution.\n\n - CVE-2017-10784\n Yusuke Endoh discovered an escape sequence injection\n vulnerability in the Basic authentication of WEBrick. An\n attacker can take advantage of this flaw to inject\n malicious escape sequences to the WEBrick log and\n potentially execute control characters on the victim's\n terminal emulator when reading logs.\n\n - CVE-2017-14033\n asac reported a buffer underrun vulnerability in the\n OpenSSL extension. A remote attacker can take advantage\n of this flaw to cause the Ruby interpreter to crash\n leading to a denial of service.", "edition": 25, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-11-13T00:00:00", "title": "Debian DSA-4031-1 : ruby2.3 - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0898", "CVE-2017-0903", "CVE-2017-10784", "CVE-2017-14033"], "modified": "2017-11-13T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:ruby2.3", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4031.NASL", "href": "https://www.tenable.com/plugins/nessus/104503", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4031. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(104503);\n script_version(\"3.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-0898\", \"CVE-2017-0903\", \"CVE-2017-10784\", \"CVE-2017-14033\");\n script_xref(name:\"DSA\", value:\"4031\");\n\n script_name(english:\"Debian DSA-4031-1 : ruby2.3 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been discovered in the interpreter for\nthe Ruby language. The Common Vulnerabilities and Exposures project\nidentifies the following problems :\n\n - CVE-2017-0898\n aerodudrizzt reported a buffer underrun vulnerability in\n the sprintf method of the Kernel module resulting in\n heap memory corruption or information disclosure from\n the heap.\n\n - CVE-2017-0903\n Max Justicz reported that RubyGems is prone to an unsafe\n object deserialization vulnerability. When parsed by an\n application which processes gems, a specially crafted\n YAML formatted gem specification can lead to remote code\n execution.\n\n - CVE-2017-10784\n Yusuke Endoh discovered an escape sequence injection\n vulnerability in the Basic authentication of WEBrick. An\n attacker can take advantage of this flaw to inject\n malicious escape sequences to the WEBrick log and\n potentially execute control characters on the victim's\n terminal emulator when reading logs.\n\n - CVE-2017-14033\n asac reported a buffer underrun vulnerability in the\n OpenSSL extension. A remote attacker can take advantage\n of this flaw to cause the Ruby interpreter to crash\n leading to a denial of service.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875928\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875931\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875936\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879231\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0898\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0903\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-10784\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-14033\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/ruby2.3\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2017/dsa-4031\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the ruby2.3 packages.\n\nFor the stable distribution (stretch), these problems have been fixed\nin version 2.3.3-1+deb9u2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby2.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"libruby2.3\", reference:\"2.3.3-1+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ruby2.3\", reference:\"2.3.3-1+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ruby2.3-dev\", reference:\"2.3.3-1+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ruby2.3-doc\", reference:\"2.3.3-1+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ruby2.3-tcltk\", reference:\"2.3.3-1+deb9u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T01:19:41", "description": "Arbitrary heap exposure during a JSON.generate call\n\nRuby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can\nexpose arbitrary memory during a JSON.generate call. The issues lies\nin using strdup in ext/json/ext/generator/generator.c, which will stop\nafter encountering a '\\\\0' byte, returning a pointer to a string of\nlength zero, which is not the length stored in space_len.\n(CVE-2017-14064)\n\nEscape sequence injection vulnerability in the Basic authentication of\nWEBrick\n\nThe Basic authentication code in WEBrick library in Ruby before 2.2.8,\n2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to\ninject terminal emulator escape sequences into its log and possibly\nexecute arbitrary commands via a crafted user name. (CVE-2017-10784)\n\nBuffer underrun in OpenSSL ASN1 decode\n\nThe decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8,\n2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause\na denial of service (interpreter crash) via a crafted string.\n(CVE-2017-14033)\n\nNo size limit in summary length of gem spec\n\nRubyGems version 2.6.12 and earlier is vulnerable to maliciously\ncrafted gem specifications to cause a denial of service attack against\nRubyGems clients who have issued a `query` command. (CVE-2017-0900)\n\nArbitrary file overwrite due to incorrect validation of specification\nname\n\nRubyGems version 2.6.12 and earlier fails to validate specification\nnames, allowing a maliciously crafted gem to potentially overwrite any\nfile on the filesystem. (CVE-2017-0901)\n\nDNS hijacking vulnerability\n\nRubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking\nvulnerability that allows a MITM attacker to force the RubyGems client\nto download and install gems from a server that the attacker controls.\n(CVE-2017-0902)\n\nBuffer underrun vulnerability in Kernel.sprintf\n\nRuby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious\nformat string which contains a precious specifier (*) with a huge\nminus value. Such situation can lead to a buffer overrun, resulting in\na heap memory corruption or an information disclosure from the heap.\n(CVE-2017-0898)\n\nEscape sequence in the 'summary' field of gemspec\n\nRubyGems version 2.6.12 and earlier is vulnerable to maliciously\ncrafted gem specifications that include terminal escape characters.\nPrinting the gem specification would execute terminal escape\nsequences. (CVE-2017-0899)\n\nA vulnerability was found where the rubygems module was vulnerable to\nan unsafe YAML deserialization when inspecting a gem. Applications\ninspecting gem files without installing them can be tricked to execute\narbitrary code in the context of the ruby interpreter. (CVE-2017-0903)", "edition": 26, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-10-27T00:00:00", "title": "Amazon Linux AMI : ruby24 (ALAS-2017-915)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-0903", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-0902", "CVE-2017-14033", "CVE-2017-14064", "CVE-2017-0901"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:rubygem24-xmlrpc", "p-cpe:/a:amazon:linux:ruby24", "p-cpe:/a:amazon:linux:ruby24-doc", "p-cpe:/a:amazon:linux:ruby24-irb", "p-cpe:/a:amazon:linux:rubygem24-did_you_mean", "p-cpe:/a:amazon:linux:ruby24-debuginfo", "p-cpe:/a:amazon:linux:rubygem24-io-console", "p-cpe:/a:amazon:linux:ruby24-devel", "p-cpe:/a:amazon:linux:rubygems24", "p-cpe:/a:amazon:linux:rubygems24-devel", "p-cpe:/a:amazon:linux:rubygem24-psych", "p-cpe:/a:amazon:linux:rubygem24-bigdecimal", "p-cpe:/a:amazon:linux:rubygem24-json", "p-cpe:/a:amazon:linux:ruby24-libs", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2017-915.NASL", "href": "https://www.tenable.com/plugins/nessus/104181", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2017-915.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104181);\n script_version(\"3.5\");\n script_cvs_date(\"Date: 2019/04/10 16:10:16\");\n\n script_cve_id(\"CVE-2017-0898\", \"CVE-2017-0899\", \"CVE-2017-0900\", \"CVE-2017-0901\", \"CVE-2017-0902\", \"CVE-2017-0903\", \"CVE-2017-10784\", \"CVE-2017-14033\", \"CVE-2017-14064\");\n script_xref(name:\"ALAS\", value:\"2017-915\");\n\n script_name(english:\"Amazon Linux AMI : ruby24 (ALAS-2017-915)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Arbitrary heap exposure during a JSON.generate call\n\nRuby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can\nexpose arbitrary memory during a JSON.generate call. The issues lies\nin using strdup in ext/json/ext/generator/generator.c, which will stop\nafter encountering a '\\\\0' byte, returning a pointer to a string of\nlength zero, which is not the length stored in space_len.\n(CVE-2017-14064)\n\nEscape sequence injection vulnerability in the Basic authentication of\nWEBrick\n\nThe Basic authentication code in WEBrick library in Ruby before 2.2.8,\n2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to\ninject terminal emulator escape sequences into its log and possibly\nexecute arbitrary commands via a crafted user name. (CVE-2017-10784)\n\nBuffer underrun in OpenSSL ASN1 decode\n\nThe decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8,\n2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause\na denial of service (interpreter crash) via a crafted string.\n(CVE-2017-14033)\n\nNo size limit in summary length of gem spec\n\nRubyGems version 2.6.12 and earlier is vulnerable to maliciously\ncrafted gem specifications to cause a denial of service attack against\nRubyGems clients who have issued a `query` command. (CVE-2017-0900)\n\nArbitrary file overwrite due to incorrect validation of specification\nname\n\nRubyGems version 2.6.12 and earlier fails to validate specification\nnames, allowing a maliciously crafted gem to potentially overwrite any\nfile on the filesystem. (CVE-2017-0901)\n\nDNS hijacking vulnerability\n\nRubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking\nvulnerability that allows a MITM attacker to force the RubyGems client\nto download and install gems from a server that the attacker controls.\n(CVE-2017-0902)\n\nBuffer underrun vulnerability in Kernel.sprintf\n\nRuby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious\nformat string which contains a precious specifier (*) with a huge\nminus value. Such situation can lead to a buffer overrun, resulting in\na heap memory corruption or an information disclosure from the heap.\n(CVE-2017-0898)\n\nEscape sequence in the 'summary' field of gemspec\n\nRubyGems version 2.6.12 and earlier is vulnerable to maliciously\ncrafted gem specifications that include terminal escape characters.\nPrinting the gem specification would execute terminal escape\nsequences. (CVE-2017-0899)\n\nA vulnerability was found where the rubygems module was vulnerable to\nan unsafe YAML deserialization when inspecting a gem. Applications\ninspecting gem files without installing them can be tricked to execute\narbitrary code in the context of the ruby interpreter. (CVE-2017-0903)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2017-915.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update ruby24' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby24\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby24-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby24-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby24-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby24-irb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby24-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem24-bigdecimal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem24-did_you_mean\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem24-io-console\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem24-json\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem24-psych\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem24-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygems24\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygems24-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"ruby24-2.4.2-1.30.4.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby24-debuginfo-2.4.2-1.30.4.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby24-devel-2.4.2-1.30.4.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby24-doc-2.4.2-1.30.4.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby24-irb-2.4.2-1.30.4.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby24-libs-2.4.2-1.30.4.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem24-bigdecimal-1.3.0-1.30.4.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem24-did_you_mean-1.1.0-1.30.4.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem24-io-console-0.4.6-1.30.4.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem24-json-2.0.4-1.30.4.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem24-psych-2.2.2-1.30.4.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem24-xmlrpc-0.2.1-1.30.4.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygems24-2.6.13-1.30.4.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygems24-devel-2.6.13-1.30.4.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ruby24 / ruby24-debuginfo / ruby24-devel / ruby24-doc / ruby24-irb / etc\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-18T10:55:37", "description": "Some of these CVE were already addressed in previous USN: 3439-1,\n3553-1, 3528-1. Here we address for the remain releases.\n\nIt was discovered that Ruby incorrectly handled certain inputs. An\nattacker could use this to cause a buffer overrun. (CVE-2017-0898)\n\nIt was discovered that Ruby incorrectly handled certain files. An\nattacker could use this to overwrite any file on the filesystem.\n(CVE-2017-0901)\n\nIt was discovered that Ruby was vulnerable to a DNS hijacking\nvulnerability. An attacker could use this to possibly force the\nRubyGems client to download and install gems from a server that the\nattacker controls. (CVE-2017-0902)\n\nIt was discovered that Ruby incorrectly handled certain YAML files. An\nattacker could use this to possibly execute arbitrary code.\n(CVE-2017-0903)\n\nIt was discovered that Ruby incorrectly handled certain files. An\nattacker could use this to expose sensitive information.\n(CVE-2017-14064)\n\nIt was discovered that Ruby incorrectly handled certain inputs. An\nattacker could use this to execute arbitrary code. (CVE-2017-10784)\n\nIt was discovered that Ruby incorrectly handled certain network\nrequests. An attacker could possibly use this to inject a crafted key\ninto a HTTP response. (CVE-2017-17742)\n\nIt was discovered that Ruby incorrectly handled certain files. An\nattacker could possibly use this to execute arbitrary code. This\nupdate is only addressed to ruby2.0. (CVE-2018-1000074)\n\nIt was discovered that Ruby incorrectly handled certain network\nrequests. An attacker could possibly use this to cause a denial of\nservice. (CVE-2018-8777).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 19, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-06-15T00:00:00", "title": "Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : Ruby vulnerabilities (USN-3685-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0898", "CVE-2017-0903", "CVE-2017-17742", "CVE-2017-10784", "CVE-2017-0902", "CVE-2018-1000074", "CVE-2018-8777", "CVE-2017-14064", "CVE-2017-0901"], "modified": "2018-06-15T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:17.10", "p-cpe:/a:canonical:ubuntu_linux:ruby2.0", "p-cpe:/a:canonical:ubuntu_linux:libruby1.9.1", "p-cpe:/a:canonical:ubuntu_linux:libruby2.3", "p-cpe:/a:canonical:ubuntu_linux:ruby1.9.1", "cpe:/o:canonical:ubuntu_linux:16.04", "p-cpe:/a:canonical:ubuntu_linux:ruby2.3", "p-cpe:/a:canonical:ubuntu_linux:ruby1.9.3", "p-cpe:/a:canonical:ubuntu_linux:libruby2.0", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-3685-1.NASL", "href": "https://www.tenable.com/plugins/nessus/110551", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3685-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110551);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/17\");\n\n script_cve_id(\"CVE-2017-0898\", \"CVE-2017-0901\", \"CVE-2017-0902\", \"CVE-2017-0903\", \"CVE-2017-10784\", \"CVE-2017-14064\", \"CVE-2017-17742\", \"CVE-2018-1000074\", \"CVE-2018-8777\");\n script_xref(name:\"USN\", value:\"3685-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : Ruby vulnerabilities (USN-3685-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Some of these CVE were already addressed in previous USN: 3439-1,\n3553-1, 3528-1. Here we address for the remain releases.\n\nIt was discovered that Ruby incorrectly handled certain inputs. An\nattacker could use this to cause a buffer overrun. (CVE-2017-0898)\n\nIt was discovered that Ruby incorrectly handled certain files. An\nattacker could use this to overwrite any file on the filesystem.\n(CVE-2017-0901)\n\nIt was discovered that Ruby was vulnerable to a DNS hijacking\nvulnerability. An attacker could use this to possibly force the\nRubyGems client to download and install gems from a server that the\nattacker controls. (CVE-2017-0902)\n\nIt was discovered that Ruby incorrectly handled certain YAML files. An\nattacker could use this to possibly execute arbitrary code.\n(CVE-2017-0903)\n\nIt was discovered that Ruby incorrectly handled certain files. An\nattacker could use this to expose sensitive information.\n(CVE-2017-14064)\n\nIt was discovered that Ruby incorrectly handled certain inputs. An\nattacker could use this to execute arbitrary code. (CVE-2017-10784)\n\nIt was discovered that Ruby incorrectly handled certain network\nrequests. An attacker could possibly use this to inject a crafted key\ninto a HTTP response. (CVE-2017-17742)\n\nIt was discovered that Ruby incorrectly handled certain files. An\nattacker could possibly use this to execute arbitrary code. This\nupdate is only addressed to ruby2.0. (CVE-2018-1000074)\n\nIt was discovered that Ruby incorrectly handled certain network\nrequests. An attacker could possibly use this to cause a denial of\nservice. (CVE-2018-8777).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3685-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libruby1.9.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libruby2.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libruby2.3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:ruby1.9.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:ruby1.9.3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:ruby2.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:ruby2.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:17.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/08/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2018-2020 Canonical, Inc. / NASL script (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04|16\\.04|17\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04 / 16.04 / 17.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"libruby1.9.1\", pkgver:\"1.9.3.484-2ubuntu1.12\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"libruby2.0\", pkgver:\"2.0.0.484-1ubuntu2.10\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"ruby1.9.1\", pkgver:\"1.9.3.484-2ubuntu1.12\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"ruby1.9.3\", pkgver:\"1.9.3.484-2ubuntu1.12\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"ruby2.0\", pkgver:\"2.0.0.484-1ubuntu2.10\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"libruby2.3\", pkgver:\"2.3.1-2~16.04.10\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"ruby2.3\", pkgver:\"2.3.1-2~16.04.10\")) flag++;\nif (ubuntu_check(osver:\"17.10\", pkgname:\"libruby2.3\", pkgver:\"2.3.3-1ubuntu1.6\")) flag++;\nif (ubuntu_check(osver:\"17.10\", pkgname:\"ruby2.3\", pkgver:\"2.3.3-1ubuntu1.6\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libruby1.9.1 / libruby2.0 / libruby2.3 / ruby1.9.1 / ruby1.9.3 / etc\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T01:19:41", "description": "SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM\ncommands in Net::SMTP\n\nA SMTP command injection flaw was found in the way Ruby's Net::SMTP\nmodule handled CRLF sequences in certain SMTP commands. An attacker\ncould potentially use this flaw to inject SMTP commands in a SMTP\nsession in order to facilitate phishing attacks or spam campaigns.\n(CVE-2015-9096)\n\nEscape sequence injection vulnerability in the Basic authentication of\nWEBrick\n\nThe Basic authentication code in WEBrick library in Ruby allows remote\nattackers to inject terminal emulator escape sequences into its log\nand possibly execute arbitrary commands via a crafted user name.\n(CVE-2017-10784)\n\nBuffer underrun in OpenSSL ASN1 decode\n\nThe decode method in the OpenSSL::ASN1 module in Ruby allows attackers\nto cause a denial of service (interpreter crash) via a crafted string.\n(CVE-2017-14033)\n\nNo size limit in summary length of gem spec\n\nRubyGems is vulnerable to maliciously crafted gem specifications to\ncause a denial of service attack against RubyGems clients who have\nissued a `query` command. (CVE-2017-0900)\n\nArbitrary file overwrite due to incorrect validation of specification\nname\n\nRubyGems fails to validate specification names, allowing a maliciously\ncrafted gem to potentially overwrite any file on the filesystem.\n(CVE-2017-0901)\n\nDNS hijacking vulnerability\n\nRubyGems is vulnerable to a DNS hijacking vulnerability that allows a\nMITM attacker to force the RubyGems client to download and install\ngems from a server that the attacker controls. (CVE-2017-0902)\n\nBuffer underrun vulnerability in Kernel.sprintf\n\nRuby is vulnerable to a malicious format string which contains a\nprecious specifier (*) with a huge minus value. Such situation can\nlead to a buffer overrun, resulting in a heap memory corruption or an\ninformation disclosure from the heap. (CVE-2017-0898)\n\nEscape sequence in the 'summary' field of gemspec\n\nRubyGems is vulnerable to maliciously crafted gem specifications that\ninclude terminal escape characters. Printing the gem specification\nwould execute terminal escape sequences. (CVE-2017-0899)\n\nArbitrary heap exposure during a JSON.generate call\n\nRuby can expose arbitrary memory during a JSON.generate call. The\nissues lies in using strdup in ext/json/ext/generator/generator.c,\nwhich will stop after encountering a '\\\\0' byte, returning a pointer\nto a string of length zero, which is not the length stored in\nspace_len. (CVE-2017-14064)\n\nA vulnerability was found where the rubygems module was vulnerable to\nan unsafe YAML deserialization when inspecting a gem. Applications\ninspecting gem files without installing them can be tricked to execute\narbitrary code in the context of the ruby interpreter. (CVE-2017-0903)", "edition": 27, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-10-03T00:00:00", "title": "Amazon Linux AMI : ruby22 / ruby23 (ALAS-2017-906)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-0903", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-0902", "CVE-2017-14033", "CVE-2015-9096", "CVE-2017-14064", "CVE-2017-0901"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:rubygems22-devel", "p-cpe:/a:amazon:linux:ruby23-debuginfo", "p-cpe:/a:amazon:linux:rubygem22-io-console", "p-cpe:/a:amazon:linux:rubygem22-bigdecimal", "p-cpe:/a:amazon:linux:ruby22", "p-cpe:/a:amazon:linux:ruby22-devel", "p-cpe:/a:amazon:linux:rubygem23-io-console", "p-cpe:/a:amazon:linux:rubygems23-devel", "p-cpe:/a:amazon:linux:rubygem22-psych", "p-cpe:/a:amazon:linux:ruby23-irb", "p-cpe:/a:amazon:linux:ruby22-irb", "p-cpe:/a:amazon:linux:rubygem23-did_you_mean", "p-cpe:/a:amazon:linux:rubygems23", "p-cpe:/a:amazon:linux:rubygems22", "p-cpe:/a:amazon:linux:rubygem23-bigdecimal", "p-cpe:/a:amazon:linux:ruby22-debuginfo", "p-cpe:/a:amazon:linux:ruby22-doc", "p-cpe:/a:amazon:linux:ruby23-devel", "p-cpe:/a:amazon:linux:rubygem23-json", "p-cpe:/a:amazon:linux:ruby23-libs", "p-cpe:/a:amazon:linux:rubygem23-psych", "p-cpe:/a:amazon:linux:ruby22-libs", "p-cpe:/a:amazon:linux:ruby23", "cpe:/o:amazon:linux", "p-cpe:/a:amazon:linux:ruby23-doc"], "id": "ALA_ALAS-2017-906.NASL", "href": "https://www.tenable.com/plugins/nessus/103603", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2017-906.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103603);\n script_version(\"3.7\");\n script_cvs_date(\"Date: 2019/07/10 16:04:12\");\n\n script_cve_id(\"CVE-2015-9096\", \"CVE-2017-0898\", \"CVE-2017-0899\", \"CVE-2017-0900\", \"CVE-2017-0901\", \"CVE-2017-0902\", \"CVE-2017-0903\", \"CVE-2017-10784\", \"CVE-2017-14033\", \"CVE-2017-14064\");\n script_xref(name:\"ALAS\", value:\"2017-906\");\n\n script_name(english:\"Amazon Linux AMI : ruby22 / ruby23 (ALAS-2017-906)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM\ncommands in Net::SMTP\n\nA SMTP command injection flaw was found in the way Ruby's Net::SMTP\nmodule handled CRLF sequences in certain SMTP commands. An attacker\ncould potentially use this flaw to inject SMTP commands in a SMTP\nsession in order to facilitate phishing attacks or spam campaigns.\n(CVE-2015-9096)\n\nEscape sequence injection vulnerability in the Basic authentication of\nWEBrick\n\nThe Basic authentication code in WEBrick library in Ruby allows remote\nattackers to inject terminal emulator escape sequences into its log\nand possibly execute arbitrary commands via a crafted user name.\n(CVE-2017-10784)\n\nBuffer underrun in OpenSSL ASN1 decode\n\nThe decode method in the OpenSSL::ASN1 module in Ruby allows attackers\nto cause a denial of service (interpreter crash) via a crafted string.\n(CVE-2017-14033)\n\nNo size limit in summary length of gem spec\n\nRubyGems is vulnerable to maliciously crafted gem specifications to\ncause a denial of service attack against RubyGems clients who have\nissued a `query` command. (CVE-2017-0900)\n\nArbitrary file overwrite due to incorrect validation of specification\nname\n\nRubyGems fails to validate specification names, allowing a maliciously\ncrafted gem to potentially overwrite any file on the filesystem.\n(CVE-2017-0901)\n\nDNS hijacking vulnerability\n\nRubyGems is vulnerable to a DNS hijacking vulnerability that allows a\nMITM attacker to force the RubyGems client to download and install\ngems from a server that the attacker controls. (CVE-2017-0902)\n\nBuffer underrun vulnerability in Kernel.sprintf\n\nRuby is vulnerable to a malicious format string which contains a\nprecious specifier (*) with a huge minus value. Such situation can\nlead to a buffer overrun, resulting in a heap memory corruption or an\ninformation disclosure from the heap. (CVE-2017-0898)\n\nEscape sequence in the 'summary' field of gemspec\n\nRubyGems is vulnerable to maliciously crafted gem specifications that\ninclude terminal escape characters. Printing the gem specification\nwould execute terminal escape sequences. (CVE-2017-0899)\n\nArbitrary heap exposure during a JSON.generate call\n\nRuby can expose arbitrary memory during a JSON.generate call. The\nissues lies in using strdup in ext/json/ext/generator/generator.c,\nwhich will stop after encountering a '\\\\0' byte, returning a pointer\nto a string of length zero, which is not the length stored in\nspace_len. (CVE-2017-14064)\n\nA vulnerability was found where the rubygems module was vulnerable to\nan unsafe YAML deserialization when inspecting a gem. Applications\ninspecting gem files without installing them can be tricked to execute\narbitrary code in the context of the ruby interpreter. (CVE-2017-0903)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2017-906.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Run 'yum update ruby22' to update your system.\n\nRun 'yum update ruby23' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby22\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby22-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby22-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby22-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby22-irb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby22-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby23\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby23-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby23-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby23-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby23-irb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby23-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem22-bigdecimal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem22-io-console\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem22-psych\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem23-bigdecimal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem23-did_you_mean\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem23-io-console\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem23-json\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem23-psych\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygems22\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygems22-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygems23\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygems23-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/01/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"ruby22-2.2.8-1.9.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby22-debuginfo-2.2.8-1.9.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby22-devel-2.2.8-1.9.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby22-doc-2.2.8-1.9.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby22-irb-2.2.8-1.9.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby22-libs-2.2.8-1.9.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby23-2.3.5-1.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby23-debuginfo-2.3.5-1.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby23-devel-2.3.5-1.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby23-doc-2.3.5-1.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby23-irb-2.3.5-1.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby23-libs-2.3.5-1.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem22-bigdecimal-1.2.6-1.9.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem22-io-console-0.4.3-1.9.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem22-psych-2.0.8.1-1.9.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem23-bigdecimal-1.2.8-1.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem23-did_you_mean-1.0.0-1.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem23-io-console-0.4.5-1.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem23-json-1.8.3.1-1.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem23-psych-2.1.0.1-1.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygems22-2.4.5.2-1.9.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygems22-devel-2.4.5.2-1.9.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygems23-2.5.2.1-1.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygems23-devel-2.5.2.1-1.17.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ruby22 / ruby22-debuginfo / ruby22-devel / ruby22-doc / ruby22-irb / etc\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T08:53:13", "description": "According to the versions of the ruby packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - It was discovered that the Net::FTP module did not\n properly process filenames in combination with certain\n operations. A remote attacker could exploit this flaw\n to execute arbitrary commands by setting up a malicious\n FTP server and tricking a user or Ruby application into\n downloading files with specially crafted names using\n the Net::FTP module. (CVE-2017-17405)\n\n - A buffer underflow was found in ruby's sprintf\n function. An attacker, with ability to control its\n format string parameter, could send a specially crafted\n string that would disclose heap memory or crash the\n interpreter. (CVE-2017-0898)\n\n - It was found that rubygems did not sanitize gem names\n during installation of a given gem. A specially crafted\n gem could use this flaw to install files outside of the\n regular directory. (CVE-2017-0901)\n\n - A vulnerability was found where rubygems did not\n sanitize DNS responses when requesting the hostname of\n the rubygems server for a domain, via a _rubygems._tcp\n DNS SRV query. An attacker with the ability to\n manipulate DNS responses could direct the gem command\n towards a different domain. (CVE-2017-0902)\n\n - A vulnerability was found where the rubygems module was\n vulnerable to an unsafe YAML deserialization when\n inspecting a gem. Applications inspecting gem files\n without installing them can be tricked to execute\n arbitrary code in the context of the ruby interpreter.\n (CVE-2017-0903)\n\n - It was found that WEBrick did not sanitize all its log\n messages. If logs were printed in a terminal, an\n attacker could interact with the terminal via the use\n of escape sequences. (CVE-2017-10784)\n\n - It was found that the decode method of the\n OpenSSL::ASN1 module was vulnerable to buffer underrun.\n An attacker could pass a specially crafted string to\n the application in order to crash the ruby interpreter,\n causing a denial of service. (CVE-2017-14033)\n\n - A vulnerability was found where rubygems did not\n properly sanitize gems' specification text. A specially\n crafted gem could interact with the terminal via the\n use of escape sequences. (CVE-2017-0899)\n\n - It was found that rubygems could use an excessive\n amount of CPU while parsing a sufficiently long gem\n summary. A specially crafted gem from a gem repository\n could freeze gem commands attempting to parse its\n summary. (CVE-2017-0900)\n\n - A buffer overflow vulnerability was found in the JSON\n extension of ruby. An attacker with the ability to pass\n a specially crafted JSON input to the extension could\n use this flaw to expose the interpreter's heap memory.\n (CVE-2017-14064)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 23, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-03-20T00:00:00", "title": "EulerOS 2.0 SP1 : ruby (EulerOS-SA-2018-1066)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-17405", "CVE-2017-0903", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-0902", "CVE-2017-14033", "CVE-2017-17790", "CVE-2017-14064", "CVE-2017-0901"], "modified": "2018-03-20T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:ruby-libs", "p-cpe:/a:huawei:euleros:ruby-irb", "p-cpe:/a:huawei:euleros:ruby", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2018-1066.NASL", "href": "https://www.tenable.com/plugins/nessus/108470", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(108470);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2017-0898\",\n \"CVE-2017-0899\",\n \"CVE-2017-0900\",\n \"CVE-2017-0901\",\n \"CVE-2017-0902\",\n \"CVE-2017-0903\",\n \"CVE-2017-10784\",\n \"CVE-2017-14033\",\n \"CVE-2017-14064\",\n \"CVE-2017-17405\",\n \"CVE-2017-17790\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : ruby (EulerOS-SA-2018-1066)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the ruby packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - It was discovered that the Net::FTP module did not\n properly process filenames in combination with certain\n operations. A remote attacker could exploit this flaw\n to execute arbitrary commands by setting up a malicious\n FTP server and tricking a user or Ruby application into\n downloading files with specially crafted names using\n the Net::FTP module. (CVE-2017-17405)\n\n - A buffer underflow was found in ruby's sprintf\n function. An attacker, with ability to control its\n format string parameter, could send a specially crafted\n string that would disclose heap memory or crash the\n interpreter. (CVE-2017-0898)\n\n - It was found that rubygems did not sanitize gem names\n during installation of a given gem. A specially crafted\n gem could use this flaw to install files outside of the\n regular directory. (CVE-2017-0901)\n\n - A vulnerability was found where rubygems did not\n sanitize DNS responses when requesting the hostname of\n the rubygems server for a domain, via a _rubygems._tcp\n DNS SRV query. An attacker with the ability to\n manipulate DNS responses could direct the gem command\n towards a different domain. (CVE-2017-0902)\n\n - A vulnerability was found where the rubygems module was\n vulnerable to an unsafe YAML deserialization when\n inspecting a gem. Applications inspecting gem files\n without installing them can be tricked to execute\n arbitrary code in the context of the ruby interpreter.\n (CVE-2017-0903)\n\n - It was found that WEBrick did not sanitize all its log\n messages. If logs were printed in a terminal, an\n attacker could interact with the terminal via the use\n of escape sequences. (CVE-2017-10784)\n\n - It was found that the decode method of the\n OpenSSL::ASN1 module was vulnerable to buffer underrun.\n An attacker could pass a specially crafted string to\n the application in order to crash the ruby interpreter,\n causing a denial of service. (CVE-2017-14033)\n\n - A vulnerability was found where rubygems did not\n properly sanitize gems' specification text. A specially\n crafted gem could interact with the terminal via the\n use of escape sequences. (CVE-2017-0899)\n\n - It was found that rubygems could use an excessive\n amount of CPU while parsing a sufficiently long gem\n summary. A specially crafted gem from a gem repository\n could freeze gem commands attempting to parse its\n summary. (CVE-2017-0900)\n\n - A buffer overflow vulnerability was found in the JSON\n extension of ruby. An attacker with the ability to pass\n a specially crafted JSON input to the extension could\n use this flaw to expose the interpreter's heap memory.\n (CVE-2017-14064)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1066\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3db34d7b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected ruby packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ruby\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ruby-irb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ruby-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"ruby-2.0.0.648-33.h2\",\n \"ruby-irb-2.0.0.648-33.h2\",\n \"ruby-libs-2.0.0.648-33.h2\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ruby\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T18:24:53", "description": "Security Fix(es) :\n\n - It was discovered that the Net::FTP module did not\n properly process filenames in combination with certain\n operations. A remote attacker could exploit this flaw to\n execute arbitrary commands by setting up a malicious FTP\n server and tricking a user or Ruby application into\n downloading files with specially crafted names using the\n Net::FTP module. (CVE-2017-17405)\n\n - A buffer underflow was found in ruby's sprintf function.\n An attacker, with ability to control its format string\n parameter, could send a specially crafted string that\n would disclose heap memory or crash the interpreter.\n (CVE-2017-0898)\n\n - It was found that rubygems did not sanitize gem names\n during installation of a given gem. A specially crafted\n gem could use this flaw to install files outside of the\n regular directory. (CVE-2017-0901)\n\n - A vulnerability was found where rubygems did not\n sanitize DNS responses when requesting the hostname of\n the rubygems server for a domain, via a _rubygems._tcp\n DNS SRV query. An attacker with the ability to\n manipulate DNS responses could direct the gem command\n towards a different domain. (CVE-2017-0902)\n\n - A vulnerability was found where the rubygems module was\n vulnerable to an unsafe YAML deserialization when\n inspecting a gem. Applications inspecting gem files\n without installing them can be tricked to execute\n arbitrary code in the context of the ruby interpreter.\n (CVE-2017-0903)\n\n - It was found that WEBrick did not sanitize all its log\n messages. If logs were printed in a terminal, an\n attacker could interact with the terminal via the use of\n escape sequences. (CVE-2017-10784)\n\n - It was found that the decode method of the OpenSSL::ASN1\n module was vulnerable to buffer underrun. An attacker\n could pass a specially crafted string to the application\n in order to crash the ruby interpreter, causing a denial\n of service. (CVE-2017-14033)\n\n - A vulnerability was found where rubygems did not\n properly sanitize gems' specification text. A specially\n crafted gem could interact with the terminal via the use\n of escape sequences. (CVE-2017-0899)\n\n - It was found that rubygems could use an excessive amount\n of CPU while parsing a sufficiently long gem summary. A\n specially crafted gem from a gem repository could freeze\n gem commands attempting to parse its summary.\n (CVE-2017-0900)\n\n - A buffer overflow vulnerability was found in the JSON\n extension of ruby. An attacker with the ability to pass\n a specially crafted JSON input to the extension could\n use this flaw to expose the interpreter's heap memory.\n (CVE-2017-14064)\n\n - The 'lazy_initialize' function in lib/resolv.rb did not\n properly process certain filenames. A remote attacker\n could possibly exploit this flaw to inject and execute\n arbitrary commands. (CVE-2017-17790)", "edition": 13, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-03-01T00:00:00", "title": "Scientific Linux Security Update : ruby on SL7.x x86_64 (20180228)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-17405", "CVE-2017-0903", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-0902", "CVE-2017-14033", "CVE-2017-17790", "CVE-2017-14064", "CVE-2017-0901"], "modified": "2018-03-01T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:rubygem-io-console", "p-cpe:/a:fermilab:scientific_linux:rubygem-json", "p-cpe:/a:fermilab:scientific_linux:ruby-libs", "p-cpe:/a:fermilab:scientific_linux:ruby-devel", "p-cpe:/a:fermilab:scientific_linux:rubygem-minitest", "p-cpe:/a:fermilab:scientific_linux:ruby-doc", "p-cpe:/a:fermilab:scientific_linux:rubygems", "p-cpe:/a:fermilab:scientific_linux:rubygem-bigdecimal", "p-cpe:/a:fermilab:scientific_linux:rubygem-rake", "p-cpe:/a:fermilab:scientific_linux:rubygem-psych", "p-cpe:/a:fermilab:scientific_linux:ruby-irb", "p-cpe:/a:fermilab:scientific_linux:ruby", "p-cpe:/a:fermilab:scientific_linux:rubygem-rdoc", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:rubygems-devel", "p-cpe:/a:fermilab:scientific_linux:ruby-tcltk", "p-cpe:/a:fermilab:scientific_linux:ruby-debuginfo"], "id": "SL_20180228_RUBY_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/107084", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(107084);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/02/24\");\n\n script_cve_id(\"CVE-2017-0898\", \"CVE-2017-0899\", \"CVE-2017-0900\", \"CVE-2017-0901\", \"CVE-2017-0902\", \"CVE-2017-0903\", \"CVE-2017-10784\", \"CVE-2017-14033\", \"CVE-2017-14064\", \"CVE-2017-17405\", \"CVE-2017-17790\");\n\n script_name(english:\"Scientific Linux Security Update : ruby on SL7.x x86_64 (20180228)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security Fix(es) :\n\n - It was discovered that the Net::FTP module did not\n properly process filenames in combination with certain\n operations. A remote attacker could exploit this flaw to\n execute arbitrary commands by setting up a malicious FTP\n server and tricking a user or Ruby application into\n downloading files with specially crafted names using the\n Net::FTP module. (CVE-2017-17405)\n\n - A buffer underflow was found in ruby's sprintf function.\n An attacker, with ability to control its format string\n parameter, could send a specially crafted string that\n would disclose heap memory or crash the interpreter.\n (CVE-2017-0898)\n\n - It was found that rubygems did not sanitize gem names\n during installation of a given gem. A specially crafted\n gem could use this flaw to install files outside of the\n regular directory. (CVE-2017-0901)\n\n - A vulnerability was found where rubygems did not\n sanitize DNS responses when requesting the hostname of\n the rubygems server for a domain, via a _rubygems._tcp\n DNS SRV query. An attacker with the ability to\n manipulate DNS responses could direct the gem command\n towards a different domain. (CVE-2017-0902)\n\n - A vulnerability was found where the rubygems module was\n vulnerable to an unsafe YAML deserialization when\n inspecting a gem. Applications inspecting gem files\n without installing them can be tricked to execute\n arbitrary code in the context of the ruby interpreter.\n (CVE-2017-0903)\n\n - It was found that WEBrick did not sanitize all its log\n messages. If logs were printed in a terminal, an\n attacker could interact with the terminal via the use of\n escape sequences. (CVE-2017-10784)\n\n - It was found that the decode method of the OpenSSL::ASN1\n module was vulnerable to buffer underrun. An attacker\n could pass a specially crafted string to the application\n in order to crash the ruby interpreter, causing a denial\n of service. (CVE-2017-14033)\n\n - A vulnerability was found where rubygems did not\n properly sanitize gems' specification text. A specially\n crafted gem could interact with the terminal via the use\n of escape sequences. (CVE-2017-0899)\n\n - It was found that rubygems could use an excessive amount\n of CPU while parsing a sufficiently long gem summary. A\n specially crafted gem from a gem repository could freeze\n gem commands attempting to parse its summary.\n (CVE-2017-0900)\n\n - A buffer overflow vulnerability was found in the JSON\n extension of ruby. An attacker with the ability to pass\n a specially crafted JSON input to the extension could\n use this flaw to expose the interpreter's heap memory.\n (CVE-2017-14064)\n\n - The 'lazy_initialize' function in lib/resolv.rb did not\n properly process certain filenames. A remote attacker\n could possibly exploit this flaw to inject and execute\n arbitrary commands. (CVE-2017-17790)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1802&L=scientific-linux-errata&F=&S=&P=9778\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3b8a648d\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:ruby\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:ruby-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:ruby-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:ruby-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:ruby-irb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:ruby-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:ruby-tcltk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:rubygem-bigdecimal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:rubygem-io-console\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:rubygem-json\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:rubygem-minitest\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:rubygem-psych\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:rubygem-rake\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:rubygem-rdoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:rubygems\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:rubygems-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/08/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/02/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"ruby-2.0.0.648-33.el7_4\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"ruby-debuginfo-2.0.0.648-33.el7_4\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"ruby-devel-2.0.0.648-33.el7_4\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"ruby-doc-2.0.0.648-33.el7_4\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"ruby-irb-2.0.0.648-33.el7_4\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"ruby-libs-2.0.0.648-33.el7_4\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"ruby-tcltk-2.0.0.648-33.el7_4\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"rubygem-bigdecimal-1.2.0-33.el7_4\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"rubygem-io-console-0.4.2-33.el7_4\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"rubygem-json-1.7.7-33.el7_4\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"rubygem-minitest-4.3.2-33.el7_4\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"rubygem-psych-2.0.0-33.el7_4\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"rubygem-rake-0.9.6-33.el7_4\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"rubygem-rdoc-4.0.0-33.el7_4\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"rubygems-2.0.14.1-33.el7_4\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"rubygems-devel-2.0.14.1-33.el7_4\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ruby / ruby-debuginfo / ruby-devel / ruby-doc / ruby-irb / etc\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-02-17T19:22:41", "description": "Exploit for linux platform in category remote exploits", "edition": 1, "published": "2017-10-10T00:00:00", "title": "RubyGems Unsafe Object Deserialization Vulnerability", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-0903"], "modified": "2017-10-10T00:00:00", "href": "https://0day.today/exploit/description/28760", "id": "1337DAY-ID-28760", "sourceData": "# Unsafe Object Deserialization Vulnerability in RubyGems\r\n\r\nThere is a possible unsafe object desrialization vulnerability in RubyGems.\r\nIt is possible for YAML deserialization of gem specifications to bypass class\r\nwhite lists. Specially crafted serialized objects can possibly be used to\r\nescalate to remote code execution. This vulnerability has been assigned the\r\nCVE identifier CVE-2017-0903.\r\n\r\nVersions Affected: <= 2.0.0.\r\nNot affected: < 2.0.0\r\nFixed Versions: 2.6.14\r\n\r\nImpact\r\n------\r\nWhen packaging a Gem, RubyGems will store information about the gem (the\r\n\"specification\") inside the Gem package, and formatted as YAML. When reading\r\nGem information, RubyGems will parse that YAML. Without safeguards, YAML can\r\nbe used to instantiate objects in a target system. If an attacker knows about\r\nthe target system, they can use these instantiated objects as a way to\r\nescalate to an RCE via other means like `Marshal.load`.\r\n\r\nNormally, a remote code execution flaw isn't a problem in RubyGems because\r\nRubyGems is designed to execute arbitrary code any time a Gem is installed.\r\nHowever, services that process Gems like RubyGems.org can be impacted by this.\r\nIn other words, when used as a client, RubyGems is not impacted. Applications\r\nthat process Gems on the server are impacted.\r\n\r\nReleases\r\n--------\r\nThe FIXED releases are available at the normal locations.\r\n\r\nWorkarounds\r\n-----------\r\nFor users that can't patch or upgrade, the following monkey patch will\r\nmitigate this risk:\r\n\r\n```\r\nmodule Gem\r\n class Specification\r\n WHITELISTED_CLASSES = %w(\r\n Symbol\r\n Time\r\n Date\r\n Gem::Dependency\r\n Gem::Platform\r\n Gem::Requirement\r\n Gem::Specification\r\n Gem::Version\r\n Gem::Version::Requirement\r\n )\r\n\r\n WHITELISTED_SYMBOLS = %w(\r\n development\r\n runtime\r\n )\r\n\r\n def self.from_yaml(input)\r\n input = normalize_yaml_input input\r\n spec = Psych.safe_load(input, WHITELISTED_CLASSES, WHITELISTED_SYMBOLS, true)\r\n\r\n fail Gem::EndOfYAMLException if spec &amp;&amp; spec.class == FalseClass\r\n\r\n unless Gem::Specification === spec\r\n fail Gem::Exception, \"YAML data doesn't evaluate to gem specification\"\r\n end\r\n\r\n spec.specification_version ||= NONEXISTENT_SPECIFICATION_VERSION\r\n spec.reset_nil_attributes_to_default\r\n\r\n spec\r\n end\r\n end\r\n\r\n class Package\r\n def read_checksums gem\r\n Gem.load_yaml\r\n\r\n @checksums = gem.seek 'checksums.yaml.gz' do |entry|\r\n Zlib::GzipReader.wrap entry do |gz_io|\r\n Psych.safe_load(gz_io.read, Gem::Specification::WHITELISTED_CLASSES, Gem::Specification::WHITELISTED_SYMBOLS, true)\r\n end\r\n end\r\n end\r\n end\r\nend\r\n\r\nPatches\r\n-------\r\nTo aid users who aren't able to upgrade immediately we have provided patches for\r\nthe two supported release series. They are in git-am format and consist of a\r\nsingle changeset.\r\n\r\n* 2-6-whitelist-bypass.patch - Patch for 2.6 series\r\n\r\nPlease note that only the 2.6.x series is supported at present. Users\r\nof earlier unsupported releases are advised to upgrade as soon as possible as we\r\ncannot guarantee the continued availability of security fixes for unsupported\r\nreleases.\r\n\r\nCredits\r\n-------\r\nThanks to Max Justicz ( https://mastodon.mit.edu/@maxj ) for reporting this!\r\n\r\n-- \r\nAaron Patterson\r\nhttp://tenderlovemaking.com/\n\n# 0day.today [2018-02-17] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/28760"}], "hackerone": [{"lastseen": "2018-08-31T00:39:17", "bulletinFamily": "bugbounty", "bounty": 1500.0, "cvelist": ["CVE-2017-0903"], "description": "When parsing a gem POSTed to the `/api/v1/gems` endpoint, the rubygems.org application immediately calls `Gem::Package.new(body).spec` inside `app/models/pusher.rb`. The authors of the application correctly observed that parsing untrusted YAML is dangerous (since it can serialize more or less arbitrary objects), so they monkey-patched the spec parser to use `Psych.safe_load` set from `config/initializers/forbidden_yaml.rb`.\n\nHowever, `YAML.load` is called directly when parsing the gem's checksum file in `Gem::Package#read_checksums`. Using classes accessible within the application, I was able to turn this into a call to `Marshal.load` on attacker-controlled data. From there, I was able to use known Marshal exploitation techniques to achieve code execution on the server (I'm omitting some details here for brevity so that I can submit this report right away).\n\nA proof of concept, `poc.gem`, is attached. Run the exploit with the following command:\n`cat poc.gem | curl -H 'Content-Type: application/gzip' --data-binary @- -H 'Authorization: \u2588\u2588\u2588\u2588\u2588' https://rubygems.org/api/v1/gems`\n\nI ran the attached PoC twice. It just does a `wget` to my server.\n\nPlease let me know if I should clarify anything! Thanks for running this program.", "modified": "2017-11-09T05:56:39", "published": "2017-10-06T08:49:52", "id": "H1:274990", "href": "https://hackerone.com/reports/274990", "type": "hackerone", "title": "RubyGems: Remote code execution on rubygems.org", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2019-05-29T18:32:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0903"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-01-24T00:00:00", "id": "OPENVAS:1361412562310874041", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874041", "type": "openvas", "title": "Fedora Update for ruby FEDORA-2018-75e780a7c2", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_75e780a7c2_ruby_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for ruby FEDORA-2018-75e780a7c2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874041\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-01-24 07:46:26 +0100 (Wed, 24 Jan 2018)\");\n script_cve_id(\"CVE-2017-0903\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for ruby FEDORA-2018-75e780a7c2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'ruby'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"ruby on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"FEDORA\", value:\"2018-75e780a7c2\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YKBAFLNYLRALWWOAIAIE5HIJZCHTBF7O\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"ruby\", rpm:\"ruby~2.4.3~86.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0903"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-02-21T00:00:00", "id": "OPENVAS:1361412562310874125", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874125", "type": "openvas", "title": "Fedora Update for ruby FEDORA-2018-0db545e976", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_0db545e976_ruby_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for ruby FEDORA-2018-0db545e976\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874125\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-02-21 08:51:35 +0100 (Wed, 21 Feb 2018)\");\n script_cve_id(\"CVE-2017-0903\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for ruby FEDORA-2018-0db545e976\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'ruby'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"ruby on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"FEDORA\", value:\"2018-0db545e976\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MGGW2LUP34YZMFG67MAULEWXBWVXZI6O\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"ruby\", rpm:\"ruby~2.4.3~86.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0903", "CVE-2017-0902", "CVE-2017-0901"], "description": "The remote host is missing an update for the ", "modified": "2019-03-18T00:00:00", "published": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310843725", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843725", "type": "openvas", "title": "Ubuntu Update for ruby2.3 USN-3553-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3553_1.nasl 14288 2019-03-18 16:34:17Z cfischer $\n#\n# Ubuntu Update for ruby2.3 USN-3553-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843725\");\n script_version(\"$Revision: 14288 $\");\n script_cve_id(\"CVE-2017-0901\", \"CVE-2017-0902\", \"CVE-2017-0903\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 17:34:17 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-10-26 06:12:11 +0200 (Fri, 26 Oct 2018)\");\n script_name(\"Ubuntu Update for ruby2.3 USN-3553-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(17\\.10|16\\.04 LTS)\");\n\n script_xref(name:\"USN\", value:\"3553-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3553-1/\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'ruby2.3'\n package(s) announced via the USN-3553-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that Ruby failed to validate specification names.\nAn attacker could possibly use a maliciously crafted gem to potentially\noverwrite any file on the filesystem. (CVE-2017-0901)\n\nIt was discovered that Ruby was vulnerable to a DNS hijacking\nvulnerability. An attacker could use this to possibly force the\nRubyGems client to download and install gems from a server that the\nattacker controls. (CVE-2017-0902)\n\nIt was discovered that Ruby incorrectly handled certain YAML files. An\nattacker could use this to possibly execute arbitrary code.\n(CVE-2017-0903)\");\n\n script_tag(name:\"affected\", value:\"ruby2.3 on Ubuntu 17.10,\n Ubuntu 16.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU17.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libruby2.3\", ver:\"2.3.3-1ubuntu1.3\", rls:\"UBUNTU17.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ruby2.3\", ver:\"2.3.3-1ubuntu1.3\", rls:\"UBUNTU17.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libruby2.3\", ver:\"2.3.1-2~16.04.6\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ruby2.3\", ver:\"2.3.1-2~16.04.6\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0898", "CVE-2017-0903", "CVE-2017-10784", "CVE-2017-14033"], "description": "Several vulnerabilities have been discovered in the interpreter for the\nRuby language. The Common Vulnerabilities and Exposures project\nidentifies the following problems:\n\nCVE-2017-0898\naerodudrizzt reported a buffer underrun vulnerability in the sprintf\nmethod of the Kernel module resulting in heap memory corruption or\ninformation disclosure from the heap.\n\nCVE-2017-0903\nMax Justicz reported that RubyGems is prone to an unsafe object\ndeserialization vulnerability. When parsed by an application which\nprocesses gems, a specially crafted YAML formatted gem specification\ncan lead to remote code execution.\n\nCVE-2017-10784\nYusuke Endoh discovered an escape sequence injection vulnerability\nin the Basic authentication of WEBrick. An attacker can take\nadvantage of this flaw to inject malicious escape sequences to the\nWEBrick log and potentially execute control characters on the\nvictim", "modified": "2019-03-18T00:00:00", "published": "2017-11-11T00:00:00", "id": "OPENVAS:1361412562310704031", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704031", "type": "openvas", "title": "Debian Security Advisory DSA 4031-1 (ruby2.3 - security update)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_4031.nasl 14284 2019-03-18 15:02:15Z cfischer $\n#\n# Auto-generated from advisory DSA 4031-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704031\");\n script_version(\"$Revision: 14284 $\");\n script_cve_id(\"CVE-2017-0898\", \"CVE-2017-0903\", \"CVE-2017-10784\", \"CVE-2017-14033\");\n script_name(\"Debian Security Advisory DSA 4031-1 (ruby2.3 - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 16:02:15 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-11-11 00:00:00 +0100 (Sat, 11 Nov 2017)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2017/dsa-4031.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n script_tag(name:\"affected\", value:\"ruby2.3 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), these problems have been fixed in\nversion 2.3.3-1+deb9u2.\n\nWe recommend that you upgrade your ruby2.3 packages.\");\n script_tag(name:\"summary\", value:\"Several vulnerabilities have been discovered in the interpreter for the\nRuby language. The Common Vulnerabilities and Exposures project\nidentifies the following problems:\n\nCVE-2017-0898\naerodudrizzt reported a buffer underrun vulnerability in the sprintf\nmethod of the Kernel module resulting in heap memory corruption or\ninformation disclosure from the heap.\n\nCVE-2017-0903\nMax Justicz reported that RubyGems is prone to an unsafe object\ndeserialization vulnerability. When parsed by an application which\nprocesses gems, a specially crafted YAML formatted gem specification\ncan lead to remote code execution.\n\nCVE-2017-10784\nYusuke Endoh discovered an escape sequence injection vulnerability\nin the Basic authentication of WEBrick. An attacker can take\nadvantage of this flaw to inject malicious escape sequences to the\nWEBrick log and potentially execute control characters on the\nvictim's terminal emulator when reading logs.\n\nCVE-2017-14033\nasac reported a buffer underrun vulnerability in the OpenSSL\nextension. A remote attacker can take advantage of this flaw to\ncause the Ruby interpreter to crash leading to a denial of service.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"libruby2.3\", ver:\"2.3.3-1+deb9u2\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"ruby2.3\", ver:\"2.3.3-1+deb9u2\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"ruby2.3-dev\", ver:\"2.3.3-1+deb9u2\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"ruby2.3-doc\", ver:\"2.3.3-1+deb9u2\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"ruby2.3-tcltk\", ver:\"2.3.3-1+deb9u2\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0898", "CVE-2017-0903", "CVE-2017-17742", "CVE-2017-10784", "CVE-2017-0902", "CVE-2018-1000074", "CVE-2018-8777", "CVE-2017-14064", "CVE-2017-0901"], "description": "The remote host is missing an update for the ", "modified": "2019-03-18T00:00:00", "published": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310843784", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843784", "type": "openvas", "title": "Ubuntu Update for ruby2.3 USN-3685-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3685_1.nasl 14288 2019-03-18 16:34:17Z cfischer $\n#\n# Ubuntu Update for ruby2.3 USN-3685-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843784\");\n script_version(\"$Revision: 14288 $\");\n script_cve_id(\"CVE-2017-0898\", \"CVE-2017-0901\", \"CVE-2017-0902\", \"CVE-2017-0903\", \"CVE-2017-14064\", \"CVE-2017-10784\", \"CVE-2017-17742\", \"CVE-2018-1000074\", \"CVE-2018-8777\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 17:34:17 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-10-26 06:18:53 +0200 (Fri, 26 Oct 2018)\");\n script_name(\"Ubuntu Update for ruby2.3 USN-3685-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|17\\.10|16\\.04 LTS)\");\n\n script_xref(name:\"USN\", value:\"3685-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3685-1/\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'ruby2.3'\n package(s) announced via the USN-3685-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Some of these CVE were already addressed in previous\nUSN: 3439-1, 3553-1, 3528-1. Here we address for\nthe remain releases.\n\nIt was discovered that Ruby incorrectly handled certain inputs.\nAn attacker could use this to cause a buffer overrun. (CVE-2017-0898)\n\nIt was discovered that Ruby incorrectly handled certain files.\nAn attacker could use this to overwrite any file on the filesystem.\n(CVE-2017-0901)\n\nIt was discovered that Ruby was vulnerable to a DNS hijacking\nvulnerability. An attacker could use this to possibly force the\nRubyGems client to download and install gems from a server that the\nattacker controls. (CVE-2017-0902)\n\nIt was discovered that Ruby incorrectly handled certain YAML files.\nAn attacker could use this to possibly execute arbitrary code.\n(CVE-2017-0903)\n\nIt was discovered that Ruby incorrectly handled certain files.\nAn attacker could use this to expose sensitive information.\n(CVE-2017-14064)\n\nIt was discovered that Ruby incorrectly handled certain inputs.\nAn attacker could use this to execute arbitrary code. (CVE-2017-10784)\n\nIt was discovered that Ruby incorrectly handled certain network\nrequests. An attacker could possibly use this to inject a crafted key\ninto a HTTP response. (CVE-2017-17742)\n\nIt was discovered that Ruby incorrectly handled certain files.\nAn attacker could possibly use this to execute arbitrary code.\nThis update is only addressed to ruby2.0. (CVE-2018-1000074)\n\nIt was discovered that Ruby incorrectly handled certain network\nrequests. An attacker could possibly use this to cause a denial of\nservice. (CVE-2018-8777)\");\n\n script_tag(name:\"affected\", value:\"ruby2.3 on Ubuntu 17.10,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libruby1.9.1\", ver:\"1.9.3.484-2ubuntu1.12\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libruby2.0\", ver:\"2.0.0.484-1ubuntu2.10\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ruby1.9.1\", ver:\"1.9.3.484-2ubuntu1.12\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ruby1.9.3\", ver:\"1.9.3.484-2ubuntu1.12\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ruby2.0\", ver:\"2.0.0.484-1ubuntu2.10\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU17.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libruby2.3\", ver:\"2.3.3-1ubuntu1.6\", rls:\"UBUNTU17.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ruby2.3\", ver:\"2.3.3-1ubuntu1.6\", rls:\"UBUNTU17.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libruby2.3\", ver:\"2.3.1-2~16.04.10\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ruby2.3\", ver:\"2.3.1-2~16.04.10\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-27T18:35:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-17405", "CVE-2017-0903", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-0902", "CVE-2017-14033", "CVE-2017-17790", "CVE-2017-14064", "CVE-2017-0901"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220181067", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220181067", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2018-1067)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2018.1067\");\n script_version(\"2020-01-23T11:11:28+0000\");\n script_cve_id(\"CVE-2017-0898\", \"CVE-2017-0899\", \"CVE-2017-0900\", \"CVE-2017-0901\", \"CVE-2017-0902\", \"CVE-2017-0903\", \"CVE-2017-10784\", \"CVE-2017-14033\", \"CVE-2017-14064\", \"CVE-2017-17405\", \"CVE-2017-17790\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:11:28 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:11:28 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2018-1067)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2018-1067\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1067\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'ruby' package(s) announced via the EulerOS-SA-2018-1067 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that the Net::FTP module did not properly process filenames in combination with certain operations. A remote attacker could exploit this flaw to execute arbitrary commands by setting up a malicious FTP server and tricking a user or Ruby application into downloading files with specially crafted names using the Net::FTP module. (CVE-2017-17405)\n\nA buffer underflow was found in ruby's sprintf function. An attacker, with ability to control its format string parameter, could send a specially crafted string that would disclose heap memory or crash the interpreter. (CVE-2017-0898)\n\nIt was found that rubygems did not sanitize gem names during installation of a given gem. A specially crafted gem could use this flaw to install files outside of the regular directory. (CVE-2017-0901)\n\nA vulnerability was found where rubygems did not sanitize DNS responses when requesting the hostname of the rubygems server for a domain, via a _rubygems._tcp DNS SRV query. An attacker with the ability to manipulate DNS responses could direct the gem command towards a different domain. (CVE-2017-0902)\n\nA vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter. (CVE-2017-0903)\n\nIt was found that WEBrick did not sanitize all its log messages. If logs were printed in a terminal, an attacker could interact with the terminal via the use of escape sequences. (CVE-2017-10784)\n\nIt was found that the decode method of the OpenSSL::ASN1 module was vulnerable to buffer underrun. An attacker could pass a specially crafted string to the application in order to crash the ruby interpreter, causing a denial of service. (CVE-2017-14033)\n\nA vulnerability was found where rubygems did not properly sanitize gems' specification text. A specially crafted gem could interact with the terminal via the use of escape sequences. (CVE-2017-0899)\n\nIt was found that rubygems could use an excessive amount of CPU while parsing a sufficiently long gem summary. A specially crafted gem from a gem repository could freeze gem commands attempting to parse its summary. (CVE-2017-0900)\n\nA buffer overflow vulnerability was found in the JSON extension of ruby. An attacker with the ability to pass a specially crafted JSON input to the extension could use this flaw to expose the interpreter's heap memory. (CVE-2017-14064)\");\n\n script_tag(name:\"affected\", value:\"'ruby' package(s) on Huawei EulerOS V2.0SP2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"ruby\", rpm:\"ruby~2.0.0.648~33.h2\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ruby-irb\", rpm:\"ruby-irb~2.0.0.648~33.h2\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ruby-libs\", rpm:\"ruby-libs~2.0.0.648~33.h2\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-17405", "CVE-2017-0903", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-0902", "CVE-2017-14033", "CVE-2017-17790", "CVE-2017-14064", "CVE-2017-0901"], "description": "Check the version of ruby", "modified": "2019-03-08T00:00:00", "published": "2018-03-14T00:00:00", "id": "OPENVAS:1361412562310882847", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882847", "type": "openvas", "title": "CentOS Update for ruby CESA-2018:0378 centos7", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_CESA-2018_0378_ruby_centos7.nasl 14058 2019-03-08 13:25:52Z cfischer $\n#\n# CentOS Update for ruby CESA-2018:0378 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882847\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-03-14 08:29:25 +0100 (Wed, 14 Mar 2018)\");\n script_cve_id(\"CVE-2017-0898\", \"CVE-2017-0899\", \"CVE-2017-0900\", \"CVE-2017-0901\",\n \"CVE-2017-0902\", \"CVE-2017-0903\", \"CVE-2017-10784\", \"CVE-2017-14033\",\n \"CVE-2017-14064\", \"CVE-2017-17405\", \"CVE-2017-17790\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for ruby CESA-2018:0378 centos7\");\n script_tag(name:\"summary\", value:\"Check the version of ruby\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Ruby is an extensible, interpreted,\nobject-oriented, scripting language. It has features to process text files and\nto perform system management tasks.\n\nSecurity Fix(es):\n\n * It was discovered that the Net::FTP module did not properly process\nfilenames in combination with certain operations. A remote attacker could\nexploit this flaw to execute arbitrary commands by setting up a malicious\nFTP server and tricking a user or Ruby application into downloading files\nwith specially crafted names using the Net::FTP module. (CVE-2017-17405)\n\n * A buffer underflow was found in ruby's sprintf function. An attacker,\nwith ability to control its format string parameter, could send a specially\ncrafted string that would disclose heap memory or crash the interpreter.\n(CVE-2017-0898)\n\n * It was found that rubygems did not sanitize gem names during installation\nof a given gem. A specially crafted gem could use this flaw to install\nfiles outside of the regular directory. (CVE-2017-0901)\n\n * A vulnerability was found where rubygems did not sanitize DNS responses\nwhen requesting the hostname of the rubygems server for a domain, via a\n_rubygems._tcp DNS SRV query. An attacker with the ability to manipulate\nDNS responses could direct the gem command towards a different domain.\n(CVE-2017-0902)\n\n * A vulnerability was found where the rubygems module was vulnerable to an\nunsafe YAML deserialization when inspecting a gem. Applications inspecting\ngem files without installing them can be tricked to execute arbitrary code\nin the context of the ruby interpreter. (CVE-2017-0903)\n\n * It was found that WEBrick did not sanitize all its log messages. If logs\nwere printed in a terminal, an attacker could interact with the terminal\nvia the use of escape sequences. (CVE-2017-10784)\n\n * It was found that the decode method of the OpenSSL::ASN1 module was\nvulnerable to buffer underrun. An attacker could pass a specially crafted\nstring to the application in order to crash the ruby interpreter, causing a\ndenial of service. (CVE-2017-14033)\n\n * A vulnerability was found where rubygems did not properly sanitize gems'\nspecification text. A specially crafted gem could interact with the\nterminal via the use of escape sequences. (CVE-2017-0899)\n\n * It was found that rubygems could use an excessive amount of CPU while\nparsing a sufficiently long gem summary. A specially crafted gem from a gem\nrepository could freeze gem commands attempting to parse its summary.\n(CVE-2017-0900)\n\n * A buffer overflow vulnerability was found in the JSON extension of ruby.\nAn attacker with the ability to pass a specially crafted JSON input to the\nextension could use this flaw to ex ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"affected\", value:\"ruby on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2018:0378\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2018-March/022791.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"ruby\", rpm:\"ruby~2.0.0.648~33.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ruby-devel\", rpm:\"ruby-devel~2.0.0.648~33.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ruby-doc\", rpm:\"ruby-doc~2.0.0.648~33.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rubygem-bigdecimal\", rpm:\"rubygem-bigdecimal~1.2.0~33.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rubygem-io-console\", rpm:\"rubygem-io-console~0.4.2~33.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rubygem-json\", rpm:\"rubygem-json~1.7.7~33.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rubygem-minitest\", rpm:\"rubygem-minitest~4.3.2~33.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rubygem-psych\", rpm:\"rubygem-psych~2.0.0~33.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rubygem-rake\", rpm:\"rubygem-rake~0.9.6~33.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rubygem-rdoc\", rpm:\"rubygem-rdoc~4.0.0~33.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rubygems\", rpm:\"rubygems~2.0.14.1~33.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rubygems-devel\", rpm:\"rubygems-devel~2.0.14.1~33.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ruby-irb\", rpm:\"ruby-irb~2.0.0.648~33.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ruby-libs\", rpm:\"ruby-libs~2.0.0.648~33.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ruby-tcltk\", rpm:\"ruby-tcltk~2.0.0.648~33.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-27T18:39:13", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-17405", "CVE-2017-0903", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-0902", "CVE-2017-14033", "CVE-2017-17790", "CVE-2017-14064", "CVE-2017-0901"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220181066", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220181066", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2018-1066)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2018.1066\");\n script_version(\"2020-01-23T11:11:17+0000\");\n script_cve_id(\"CVE-2017-0898\", \"CVE-2017-0899\", \"CVE-2017-0900\", \"CVE-2017-0901\", \"CVE-2017-0902\", \"CVE-2017-0903\", \"CVE-2017-10784\", \"CVE-2017-14033\", \"CVE-2017-14064\", \"CVE-2017-17405\", \"CVE-2017-17790\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:11:17 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:11:17 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2018-1066)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP1\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2018-1066\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1066\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'ruby' package(s) announced via the EulerOS-SA-2018-1066 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that the Net::FTP module did not properly process filenames in combination with certain operations. A remote attacker could exploit this flaw to execute arbitrary commands by setting up a malicious FTP server and tricking a user or Ruby application into downloading files with specially crafted names using the Net::FTP module. (CVE-2017-17405)\n\nA buffer underflow was found in ruby's sprintf function. An attacker, with ability to control its format string parameter, could send a specially crafted string that would disclose heap memory or crash the interpreter. (CVE-2017-0898)\n\nIt was found that rubygems did not sanitize gem names during installation of a given gem. A specially crafted gem could use this flaw to install files outside of the regular directory. (CVE-2017-0901)\n\nA vulnerability was found where rubygems did not sanitize DNS responses when requesting the hostname of the rubygems server for a domain, via a _rubygems._tcp DNS SRV query. An attacker with the ability to manipulate DNS responses could direct the gem command towards a different domain. (CVE-2017-0902)\n\nA vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter. (CVE-2017-0903)\n\nIt was found that WEBrick did not sanitize all its log messages. If logs were printed in a terminal, an attacker could interact with the terminal via the use of escape sequences. (CVE-2017-10784)\n\nIt was found that the decode method of the OpenSSL::ASN1 module was vulnerable to buffer underrun. An attacker could pass a specially crafted string to the application in order to crash the ruby interpreter, causing a denial of service. (CVE-2017-14033)\n\nA vulnerability was found where rubygems did not properly sanitize gems' specification text. A specially crafted gem could interact with the terminal via the use of escape sequences. (CVE-2017-0899)\n\nIt was found that rubygems could use an excessive amount of CPU while parsing a sufficiently long gem summary. A specially crafted gem from a gem repository could freeze gem commands attempting to parse its summary. (CVE-2017-0900)\n\nA buffer overflow vulnerability was found in the JSON extension of ruby. An attacker with the ability to pass a specially crafted JSON input to the extension could use this flaw to expose the interpreter's heap memory. (CVE-2017-14064)\");\n\n script_tag(name:\"affected\", value:\"'ruby' package(s) on Huawei EulerOS V2.0SP1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"ruby\", rpm:\"ruby~2.0.0.648~33.h2\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ruby-irb\", rpm:\"ruby-irb~2.0.0.648~33.h2\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ruby-libs\", rpm:\"ruby-libs~2.0.0.648~33.h2\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-27T18:34:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-17405", "CVE-2017-0903", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-0902", "CVE-2017-14033", "CVE-2017-17790", "CVE-2017-14064", "CVE-2017-0901"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220181248", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220181248", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2018-1248)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2018.1248\");\n script_version(\"2020-01-23T11:18:47+0000\");\n script_cve_id(\"CVE-2017-0898\", \"CVE-2017-0899\", \"CVE-2017-0900\", \"CVE-2017-0901\", \"CVE-2017-0902\", \"CVE-2017-0903\", \"CVE-2017-10784\", \"CVE-2017-14033\", \"CVE-2017-14064\", \"CVE-2017-17405\", \"CVE-2017-17790\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:18:47 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:18:47 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2018-1248)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRT-2\\.5\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2018-1248\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1248\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'ruby' package(s) announced via the EulerOS-SA-2018-1248 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 uses Kernel#open, which might allow Command Injection attacks, as demonstrated by a Resolv::Hosts::new argument beginning with a '<pipe>' character, a different vulnerability than CVE-2017-17405. NOTE: situations with untrusted input may be highly unlikely.(CVE-2017-17790)\n\nA buffer overflow vulnerability was found in the JSON extension of ruby. An attacker with the ability to pass a specially crafted JSON input to the extension could use this flaw to expose the interpreter's heap memory. (CVE-2017-14064)\n\nIt was found that the decode method of the OpenSSL::ASN1 module was vulnerable to buffer underrun. An attacker could pass a specially crafted string to the application in order to crash the ruby interpreter, causing a denial of service. (CVE-2017-14033)\n\nIt was found that rubygems could use an excessive amount of CPU while parsing a sufficiently long gem summary. A specially crafted gem from a gem repository could freeze gem commands attempting to parse its summary. (CVE-2017-0900)\n\nIt was found that rubygems did not sanitize gem names during installation of a given gem. A specially crafted gem could use this flaw to install files outside of the regular directory. (CVE-2017-0901)\n\nA vulnerability was found where rubygems did not sanitize DNS responses when requesting the hostname of the rubygems server for a domain, via a _rubygems._tcp DNS SRV query. An attacker with the ability to manipulate DNS responses could direct the gem command towards a different domain. (CVE-2017-0902)\n\nA vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter. (CVE-2017-0903)\n\nIt was found that WEBrick did not sanitize all its log messages. If logs were printed in a terminal, an attacker could interact with the terminal via the use of escape sequences. (CVE-2017-10784)\n\nIt was discovered that the Net::FTP module did not properly process filenames in combination with certain operations. A remote attacker could exploit this flaw to execute arbitrary commands by setting up a malicious FTP server and tricking a user or Ruby application into downloading files with specially crafted names using the Net::FTP module. (CVE-2017-17405)\n\nA buffer underflow was found in ruby's sprintf function. An attacker, with ability to control its format string parameter, could send a specially crafted string that would disclose heap memory or crash the inte ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'ruby' package(s) on Huawei EulerOS Virtualization 2.5.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRT-2.5.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"ruby\", rpm:\"ruby~2.0.0.353~23.h7\", rls:\"EULEROSVIRT-2.5.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ruby-irb\", rpm:\"ruby-irb~2.0.0.353~23.h7\", rls:\"EULEROSVIRT-2.5.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ruby-libs\", rpm:\"ruby-libs~2.0.0.353~23.h7\", rls:\"EULEROSVIRT-2.5.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-27T18:37:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-17405", "CVE-2017-0903", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-0902", "CVE-2017-14033", "CVE-2017-17790", "CVE-2017-14064", "CVE-2017-0901"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191407", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191407", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2019-1407)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1407\");\n script_version(\"2020-01-23T11:42:38+0000\");\n script_cve_id(\"CVE-2017-0898\", \"CVE-2017-0899\", \"CVE-2017-0900\", \"CVE-2017-0901\", \"CVE-2017-0902\", \"CVE-2017-0903\", \"CVE-2017-10784\", \"CVE-2017-14033\", \"CVE-2017-14064\", \"CVE-2017-17405\", \"CVE-2017-17790\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:42:38 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:42:38 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2019-1407)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRTARM64-3\\.0\\.1\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1407\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1407\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'ruby' package(s) announced via the EulerOS-SA-2019-1407 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that the Net::FTP module did not properly process filenames in combination with certain operations. A remote attacker could exploit this flaw to execute arbitrary commands by setting up a malicious FTP server and tricking a user or Ruby application into downloading files with specially crafted names using the Net::FTP module.(CVE-2017-17405)\n\nThe 'lazy_initialize' function in lib/resolv.rb did not properly process certain filenames. A remote attacker could possibly exploit this flaw to inject and execute arbitrary commands.(CVE-2017-17790)\n\nIt was found that rubygems could use an excessive amount of CPU while parsing a sufficiently long gem summary. A specially crafted gem from a gem repository could freeze gem commands attempting to parse its summary.(CVE-2017-0900)\n\nIt was found that rubygems did not sanitize gem names during installation of a given gem. A specially crafted gem could use this flaw to install files outside of the regular directory.(CVE-2017-0901)\n\nA vulnerability was found where rubygems did not sanitize DNS responses when requesting the hostname of the rubygems server for a domain, via a _rubygems._tcp DNS SRV query. An attacker with the ability to manipulate DNS responses could direct the gem command towards a different domain.(CVE-2017-0902)\n\nA vulnerability was found where rubygems did not properly sanitize gems' specification text. A specially crafted gem could interact with the terminal via the use of escape sequences.(CVE-2017-0899)\n\nA buffer overflow vulnerability was found in the JSON extension of ruby. An attacker with the ability to pass a specially crafted JSON input to the extension could use this flaw to expose the inter preter's heap memory.(CVE-2017-14064)\n\nIt was found that WEBrick did not sanitize all its log messages. If logs were printed in a terminal, an attacker could interact with the terminal via the use of escape sequences.(CVE-2017-10784)\n\nIt was found that the decode method of the OpenSSL::ASN1 module was vulnerable to buffer underrun. An attacker could pass a specially crafted string to the application in order to crash the ruby interpreter, causing a denial of service.(CVE-2017-14033)\n\nA buffer underflow was found in ruby's sprintf function. An attacker, with ability to control its format string parameter, could send a specially crafted string that would disclose heap memory or crash the interpreter.(CVE-2017-0898)\n\nA vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter.(CVE-2017-0903)\");\n\n script_tag(name:\"affected\", value:\"'ruby' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.1.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRTARM64-3.0.1.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"ruby\", rpm:\"ruby~2.0.0.648~33.h11\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ruby-irb\", rpm:\"ruby-irb~2.0.0.648~33.h11\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ruby-libs\", rpm:\"ruby-libs~2.0.0.648~33.h11\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"rubygem-bigdecimal\", rpm:\"rubygem-bigdecimal~1.2.0~33.h11\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"rubygem-io-console\", rpm:\"rubygem-io-console~0.4.2~33.h11\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"rubygem-json\", rpm:\"rubygem-json~1.7.7~33.h11\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"rubygem-psych\", rpm:\"rubygem-psych~2.0.0~33.h11\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"rubygem-rdoc\", rpm:\"rubygem-rdoc~4.0.0~33.h11\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"rubygems\", rpm:\"rubygems~2.0.14.1~33.h11\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "amazon": [{"lastseen": "2020-11-10T12:35:23", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0903"], "description": "**Issue Overview:**\n\nUnsafe object deserialization through YAML formatted gem specifications: \nA vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter. ([CVE-2017-0903 __](<https://access.redhat.com/security/cve/CVE-2017-0903>))\n\n \n**Affected Packages:** \n\n\nruby24, ruby22, ruby23\n\n \n**Issue Correction:** \nRun _yum update ruby24_ to update your system. \nRun _yum update ruby22_ to update your system. \nRun _yum update ruby23_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n rubygem22-bigdecimal-1.2.6-1.10.amzn1.i686 \n rubygem22-io-console-0.4.3-1.10.amzn1.i686 \n ruby22-debuginfo-2.2.9-1.10.amzn1.i686 \n ruby22-libs-2.2.9-1.10.amzn1.i686 \n ruby22-devel-2.2.9-1.10.amzn1.i686 \n rubygem22-psych-2.0.8.1-1.10.amzn1.i686 \n ruby22-2.2.9-1.10.amzn1.i686 \n ruby24-libs-2.4.3-1.30.5.amzn1.i686 \n rubygem24-xmlrpc-0.2.1-1.30.5.amzn1.i686 \n rubygem24-psych-2.2.2-1.30.5.amzn1.i686 \n ruby24-devel-2.4.3-1.30.5.amzn1.i686 \n ruby24-debuginfo-2.4.3-1.30.5.amzn1.i686 \n rubygem24-bigdecimal-1.3.0-1.30.5.amzn1.i686 \n ruby24-2.4.3-1.30.5.amzn1.i686 \n rubygem24-io-console-0.4.6-1.30.5.amzn1.i686 \n rubygem24-json-2.0.4-1.30.5.amzn1.i686 \n rubygem23-json-1.8.3.1-1.18.amzn1.i686 \n rubygem23-psych-2.1.0.1-1.18.amzn1.i686 \n ruby23-debuginfo-2.3.6-1.18.amzn1.i686 \n rubygem23-bigdecimal-1.2.8-1.18.amzn1.i686 \n ruby23-libs-2.3.6-1.18.amzn1.i686 \n rubygem23-io-console-0.4.5-1.18.amzn1.i686 \n ruby23-devel-2.3.6-1.18.amzn1.i686 \n ruby23-2.3.6-1.18.amzn1.i686 \n \n noarch: \n ruby22-doc-2.2.9-1.10.amzn1.noarch \n ruby22-irb-2.2.9-1.10.amzn1.noarch \n rubygems22-devel-2.4.5.2-1.10.amzn1.noarch \n rubygems22-2.4.5.2-1.10.amzn1.noarch \n ruby24-doc-2.4.3-1.30.5.amzn1.noarch \n rubygems24-devel-2.6.14-1.30.5.amzn1.noarch \n ruby24-irb-2.4.3-1.30.5.amzn1.noarch \n rubygems24-2.6.14-1.30.5.amzn1.noarch \n rubygem24-did_you_mean-1.1.0-1.30.5.amzn1.noarch \n ruby23-irb-2.3.6-1.18.amzn1.noarch \n rubygems23-2.5.2.2-1.18.amzn1.noarch \n ruby23-doc-2.3.6-1.18.amzn1.noarch \n rubygem23-did_you_mean-1.0.0-1.18.amzn1.noarch \n rubygems23-devel-2.5.2.2-1.18.amzn1.noarch \n \n src: \n ruby22-2.2.9-1.10.amzn1.src \n ruby24-2.4.3-1.30.5.amzn1.src \n ruby23-2.3.6-1.18.amzn1.src \n \n x86_64: \n ruby22-debuginfo-2.2.9-1.10.amzn1.x86_64 \n rubygem22-psych-2.0.8.1-1.10.amzn1.x86_64 \n ruby22-devel-2.2.9-1.10.amzn1.x86_64 \n rubygem22-io-console-0.4.3-1.10.amzn1.x86_64 \n rubygem22-bigdecimal-1.2.6-1.10.amzn1.x86_64 \n ruby22-libs-2.2.9-1.10.amzn1.x86_64 \n ruby22-2.2.9-1.10.amzn1.x86_64 \n ruby24-2.4.3-1.30.5.amzn1.x86_64 \n rubygem24-psych-2.2.2-1.30.5.amzn1.x86_64 \n ruby24-libs-2.4.3-1.30.5.amzn1.x86_64 \n ruby24-debuginfo-2.4.3-1.30.5.amzn1.x86_64 \n rubygem24-bigdecimal-1.3.0-1.30.5.amzn1.x86_64 \n rubygem24-json-2.0.4-1.30.5.amzn1.x86_64 \n ruby24-devel-2.4.3-1.30.5.amzn1.x86_64 \n rubygem24-io-console-0.4.6-1.30.5.amzn1.x86_64 \n rubygem24-xmlrpc-0.2.1-1.30.5.amzn1.x86_64 \n rubygem23-bigdecimal-1.2.8-1.18.amzn1.x86_64 \n ruby23-2.3.6-1.18.amzn1.x86_64 \n ruby23-libs-2.3.6-1.18.amzn1.x86_64 \n rubygem23-psych-2.1.0.1-1.18.amzn1.x86_64 \n rubygem23-io-console-0.4.5-1.18.amzn1.x86_64 \n rubygem23-json-1.8.3.1-1.18.amzn1.x86_64 \n ruby23-debuginfo-2.3.6-1.18.amzn1.x86_64 \n ruby23-devel-2.3.6-1.18.amzn1.x86_64 \n \n \n", "edition": 5, "modified": "2018-03-21T22:27:00", "published": "2018-03-21T22:27:00", "id": "ALAS-2018-978", "href": "https://alas.aws.amazon.com/ALAS-2018-978.html", "title": "Medium: ruby24, ruby22, ruby23", "type": "amazon", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-10T12:35:13", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-0903", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-0902", "CVE-2017-14033", "CVE-2017-14064", "CVE-2017-0901"], "description": "**Issue Overview:**\n\nArbitrary heap exposure during a JSON.generate call \nRuby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a &#x27;\\\\\\0&#x27; byte, returning a pointer to a string of length zero, which is not the length stored in space_len. ([CVE-2017-14064 __](<https://access.redhat.com/security/cve/CVE-2017-14064>))\n\nEscape sequence injection vulnerability in the Basic authentication of WEBrick \nThe Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name. ([CVE-2017-10784 __](<https://access.redhat.com/security/cve/CVE-2017-10784>))\n\nBuffer underrun in OpenSSL ASN1 decode \nThe decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause a denial of service (interpreter crash) via a crafted string. ([CVE-2017-14033 __](<https://access.redhat.com/security/cve/CVE-2017-14033>))\n\nNo size limit in summary length of gem spec \nRubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command. ([CVE-2017-0900 __](<https://access.redhat.com/security/cve/CVE-2017-0900>))\n\nArbitrary file overwrite due to incorrect validation of specification name \nRubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem. ([CVE-2017-0901 __](<https://access.redhat.com/security/cve/CVE-2017-0901>))\n\nDNS hijacking vulnerability \nRubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls. ([CVE-2017-0902 __](<https://access.redhat.com/security/cve/CVE-2017-0902>))\n\nBuffer underrun vulnerability in Kernel.sprintf \nRuby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or an information disclosure from the heap. ([CVE-2017-0898 __](<https://access.redhat.com/security/cve/CVE-2017-0898>))\n\nEscape sequence in the \"summary\" field of gemspec \nRubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences. ([CVE-2017-0899 __](<https://access.redhat.com/security/cve/CVE-2017-0899>))\n\nA vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter. ([CVE-2017-0903 __](<https://access.redhat.com/security/cve/CVE-2017-0903>))\n\n \n**Affected Packages:** \n\n\nruby24\n\n \n**Issue Correction:** \nRun _yum update ruby24_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n rubygem24-bigdecimal-1.3.0-1.30.4.amzn1.i686 \n rubygem24-io-console-0.4.6-1.30.4.amzn1.i686 \n ruby24-devel-2.4.2-1.30.4.amzn1.i686 \n rubygem24-json-2.0.4-1.30.4.amzn1.i686 \n rubygem24-xmlrpc-0.2.1-1.30.4.amzn1.i686 \n rubygem24-psych-2.2.2-1.30.4.amzn1.i686 \n ruby24-debuginfo-2.4.2-1.30.4.amzn1.i686 \n ruby24-2.4.2-1.30.4.amzn1.i686 \n ruby24-libs-2.4.2-1.30.4.amzn1.i686 \n \n noarch: \n rubygem24-did_you_mean-1.1.0-1.30.4.amzn1.noarch \n rubygems24-2.6.13-1.30.4.amzn1.noarch \n rubygems24-devel-2.6.13-1.30.4.amzn1.noarch \n ruby24-irb-2.4.2-1.30.4.amzn1.noarch \n ruby24-doc-2.4.2-1.30.4.amzn1.noarch \n \n src: \n ruby24-2.4.2-1.30.4.amzn1.src \n \n x86_64: \n ruby24-devel-2.4.2-1.30.4.amzn1.x86_64 \n rubygem24-xmlrpc-0.2.1-1.30.4.amzn1.x86_64 \n rubygem24-json-2.0.4-1.30.4.amzn1.x86_64 \n rubygem24-bigdecimal-1.3.0-1.30.4.amzn1.x86_64 \n ruby24-2.4.2-1.30.4.amzn1.x86_64 \n ruby24-debuginfo-2.4.2-1.30.4.amzn1.x86_64 \n rubygem24-io-console-0.4.6-1.30.4.amzn1.x86_64 \n ruby24-libs-2.4.2-1.30.4.amzn1.x86_64 \n rubygem24-psych-2.2.2-1.30.4.amzn1.x86_64 \n \n \n", "edition": 5, "modified": "2017-10-26T17:01:00", "published": "2017-10-26T17:01:00", "id": "ALAS-2017-915", "href": "https://alas.aws.amazon.com/ALAS-2017-915.html", "title": "Medium: ruby24", "type": "amazon", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-10T12:34:56", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-0903", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-0902", "CVE-2017-14033", "CVE-2015-9096", "CVE-2017-14064", "CVE-2017-0901"], "description": "**Issue Overview:**\n\nSMTP command injection via CRLF sequences in RCPT TO or MAIL FROM commands in Net::SMTP \nA SMTP command injection flaw was found in the way Ruby&#x27;s Net::SMTP module handled CRLF sequences in certain SMTP commands. An attacker could potentially use this flaw to inject SMTP commands in a SMTP session in order to facilitate phishing attacks or spam campaigns. ([CVE-2015-9096 __](<https://access.redhat.com/security/cve/CVE-2015-9096>))\n\nEscape sequence injection vulnerability in the Basic authentication of WEBrick \nThe Basic authentication code in WEBrick library in Ruby allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name. ([CVE-2017-10784 __](<https://access.redhat.com/security/cve/CVE-2017-10784>))\n\nBuffer underrun in OpenSSL ASN1 decode \nThe decode method in the OpenSSL::ASN1 module in Ruby allows attackers to cause a denial of service (interpreter crash) via a crafted string. ([CVE-2017-14033 __](<https://access.redhat.com/security/cve/CVE-2017-14033>))\n\nNo size limit in summary length of gem spec \nRubyGems is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command. ([CVE-2017-0900 __](<https://access.redhat.com/security/cve/CVE-2017-0900>))\n\nArbitrary file overwrite due to incorrect validation of specification name \nRubyGems fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem. ([CVE-2017-0901 __](<https://access.redhat.com/security/cve/CVE-2017-0901>))\n\nDNS hijacking vulnerability \nRubyGems is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls. ([CVE-2017-0902 __](<https://access.redhat.com/security/cve/CVE-2017-0902>))\n\nBuffer underrun vulnerability in Kernel.sprintf \nRuby is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or an information disclosure from the heap. ([CVE-2017-0898 __](<https://access.redhat.com/security/cve/CVE-2017-0898>))\n\nEscape sequence in the \"summary\" field of gemspec \nRubyGems is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences. ([CVE-2017-0899 __](<https://access.redhat.com/security/cve/CVE-2017-0899>))\n\nArbitrary heap exposure during a JSON.generate call \nRuby can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a &#x27;\\\\\\0&#x27; byte, returning a pointer to a string of length zero, which is not the length stored in space_len. ([CVE-2017-14064 __](<https://access.redhat.com/security/cve/CVE-2017-14064>))\n\nA vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter. ([CVE-2017-0903 __](<https://access.redhat.com/security/cve/CVE-2017-0903>))\n\n \n**Affected Packages:** \n\n\nruby22, ruby23\n\n \n**Issue Correction:** \nRun _yum update ruby22_ to update your system. \nRun _yum update ruby23_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n ruby22-libs-2.2.8-1.9.amzn1.i686 \n rubygem22-psych-2.0.8.1-1.9.amzn1.i686 \n ruby22-debuginfo-2.2.8-1.9.amzn1.i686 \n ruby22-2.2.8-1.9.amzn1.i686 \n ruby22-devel-2.2.8-1.9.amzn1.i686 \n rubygem22-io-console-0.4.3-1.9.amzn1.i686 \n rubygem22-bigdecimal-1.2.6-1.9.amzn1.i686 \n rubygem23-psych-2.1.0.1-1.17.amzn1.i686 \n rubygem23-io-console-0.4.5-1.17.amzn1.i686 \n rubygem23-json-1.8.3.1-1.17.amzn1.i686 \n ruby23-devel-2.3.5-1.17.amzn1.i686 \n ruby23-debuginfo-2.3.5-1.17.amzn1.i686 \n ruby23-2.3.5-1.17.amzn1.i686 \n rubygem23-bigdecimal-1.2.8-1.17.amzn1.i686 \n ruby23-libs-2.3.5-1.17.amzn1.i686 \n \n noarch: \n ruby22-irb-2.2.8-1.9.amzn1.noarch \n rubygems22-devel-2.4.5.2-1.9.amzn1.noarch \n rubygems22-2.4.5.2-1.9.amzn1.noarch \n ruby22-doc-2.2.8-1.9.amzn1.noarch \n ruby23-doc-2.3.5-1.17.amzn1.noarch \n rubygem23-did_you_mean-1.0.0-1.17.amzn1.noarch \n rubygems23-devel-2.5.2.1-1.17.amzn1.noarch \n rubygems23-2.5.2.1-1.17.amzn1.noarch \n ruby23-irb-2.3.5-1.17.amzn1.noarch \n \n src: \n ruby22-2.2.8-1.9.amzn1.src \n ruby23-2.3.5-1.17.amzn1.src \n \n x86_64: \n ruby22-2.2.8-1.9.amzn1.x86_64 \n ruby22-devel-2.2.8-1.9.amzn1.x86_64 \n ruby22-debuginfo-2.2.8-1.9.amzn1.x86_64 \n rubygem22-bigdecimal-1.2.6-1.9.amzn1.x86_64 \n ruby22-libs-2.2.8-1.9.amzn1.x86_64 \n rubygem22-psych-2.0.8.1-1.9.amzn1.x86_64 \n rubygem22-io-console-0.4.3-1.9.amzn1.x86_64 \n rubygem23-json-1.8.3.1-1.17.amzn1.x86_64 \n ruby23-debuginfo-2.3.5-1.17.amzn1.x86_64 \n rubygem23-psych-2.1.0.1-1.17.amzn1.x86_64 \n ruby23-libs-2.3.5-1.17.amzn1.x86_64 \n ruby23-2.3.5-1.17.amzn1.x86_64 \n rubygem23-bigdecimal-1.2.8-1.17.amzn1.x86_64 \n rubygem23-io-console-0.4.5-1.17.amzn1.x86_64 \n ruby23-devel-2.3.5-1.17.amzn1.x86_64 \n \n \n", "edition": 6, "modified": "2017-10-02T17:01:00", "published": "2017-10-02T17:01:00", "id": "ALAS-2017-906", "href": "https://alas.aws.amazon.com/ALAS-2017-906.html", "title": "Medium: ruby22, ruby23", "type": "amazon", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2020-07-02T11:33:47", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0903", "CVE-2017-0902", "CVE-2017-0901"], "description": "It was discovered that Ruby failed to validate specification names. \nAn attacker could possibly use a maliciously crafted gem to potentially \noverwrite any file on the filesystem. (CVE-2017-0901)\n\nIt was discovered that Ruby was vulnerable to a DNS hijacking vulnerability. \nAn attacker could use this to possibly force the RubyGems client to download \nand install gems from a server that the attacker controls. (CVE-2017-0902)\n\nIt was discovered that Ruby incorrectly handled certain YAML files. An attacker could \nuse this to possibly execute arbitrary code. (CVE-2017-0903)", "edition": 5, "modified": "2018-01-31T00:00:00", "published": "2018-01-31T00:00:00", "id": "USN-3553-1", "href": "https://ubuntu.com/security/notices/USN-3553-1", "title": "Ruby vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-02T11:40:18", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0898", "CVE-2017-0903", "CVE-2017-17742", "CVE-2017-10784", "CVE-2017-0902", "CVE-2018-1000074", "CVE-2018-8777", "CVE-2017-14064", "CVE-2017-0901"], "description": "Some of these CVE were already addressed in previous \nUSN: 3439-1, 3553-1, 3528-1. Here we address for \nthe remain releases.\n\nIt was discovered that Ruby incorrectly handled certain inputs. \nAn attacker could use this to cause a buffer overrun. (CVE-2017-0898)\n\nIt was discovered that Ruby incorrectly handled certain files. \nAn attacker could use this to overwrite any file on the filesystem. \n(CVE-2017-0901)\n\nIt was discovered that Ruby was vulnerable to a DNS hijacking vulnerability. \nAn attacker could use this to possibly force the RubyGems client to download \nand install gems from a server that the attacker controls. (CVE-2017-0902)\n\nIt was discovered that Ruby incorrectly handled certain YAML files. \nAn attacker could use this to possibly execute arbitrary code. (CVE-2017-0903)\n\nIt was discovered that Ruby incorrectly handled certain files. \nAn attacker could use this to expose sensitive information. \n(CVE-2017-14064)\n\nIt was discovered that Ruby incorrectly handled certain inputs. \nAn attacker could use this to execute arbitrary code. (CVE-2017-10784)\n\nIt was discovered that Ruby incorrectly handled certain network requests. \nAn attacker could possibly use this to inject a crafted key into a HTTP \nresponse. (CVE-2017-17742)\n\nIt was discovered that Ruby incorrectly handled certain files. \nAn attacker could possibly use this to execute arbitrary code. \nThis update is only addressed to ruby2.0. (CVE-2018-1000074)\n\nIt was discovered that Ruby incorrectly handled certain network requests. \nAn attacker could possibly use this to cause a denial of service. \n(CVE-2018-8777)", "edition": 5, "modified": "2018-06-13T00:00:00", "published": "2018-06-13T00:00:00", "id": "USN-3685-1", "href": "https://ubuntu.com/security/notices/USN-3685-1", "title": "Ruby vulnerabilities", "type": "ubuntu", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2020-08-12T01:05:17", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0898", "CVE-2017-0903", "CVE-2017-10784", "CVE-2017-14033"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4031-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nNovember 11, 2017 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : ruby2.3\nCVE ID : CVE-2017-0898 CVE-2017-0903 CVE-2017-10784 CVE-2017-14033\nDebian Bug : 875928 875931 875936 879231\n\nSeveral vulnerabilities have been discovered in the interpreter for the\nRuby language. The Common Vulnerabilities and Exposures project\nidentifies the following problems:\n\nCVE-2017-0898\n\n aerodudrizzt reported a buffer underrun vulnerability in the sprintf\n method of the Kernel module resulting in heap memory corruption or\n information disclosure from the heap.\n\nCVE-2017-0903\n\n Max Justicz reported that RubyGems is prone to an unsafe object\n deserialization vulnerability. When parsed by an application which\n processes gems, a specially crafted YAML formatted gem specification\n can lead to remote code execution.\n\nCVE-2017-10784\n\n Yusuke Endoh discovered an escape sequence injection vulnerability\n in the Basic authentication of WEBrick. An attacker can take\n advantage of this flaw to inject malicious escape sequences to the\n WEBrick log and potentially execute control characters on the\n victim&#x27;s terminal emulator when reading logs.\n\nCVE-2017-14033\n\n asac reported a buffer underrun vulnerability in the OpenSSL\n extension. A remote attacker can take advantage of this flaw to\n cause the Ruby interpreter to crash leading to a denial of service.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 2.3.3-1+deb9u2.\n\nWe recommend that you upgrade your ruby2.3 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 10, "modified": "2017-11-11T14:46:21", "published": "2017-11-11T14:46:21", "id": "DEBIAN:DSA-4031-1:AC0D9", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2017/msg00294.html", "title": "[SECURITY] [DSA 4031-1] ruby2.3 security update", "type": "debian", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-11T01:30:44", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-17405", "CVE-2017-0903", "CVE-2018-8778", "CVE-2017-17742", "CVE-2017-0899", "CVE-2017-10784", "CVE-2018-8780", "CVE-2018-1000078", "CVE-2016-2339", "CVE-2018-1000075", "CVE-2018-1000076", "CVE-2016-7798", "CVE-2017-0902", "CVE-2017-14033", "CVE-2017-17790", "CVE-2015-9096", "CVE-2018-8777", "CVE-2017-14064", "CVE-2017-0901", "CVE-2018-8779", "CVE-2018-1000077", "CVE-2018-1000079", "CVE-2018-6914"], "description": "Package : ruby2.1\nVersion : 2.1.5-2+deb8u4\nCVE ID : CVE-2015-9096 CVE-2016-2339 CVE-2016-7798 CVE-2017-0898\n CVE-2017-0899 CVE-2017-0900 CVE-2017-0901 CVE-2017-0902\n CVE-2017-0903 CVE-2017-10784 CVE-2017-14033 CVE-2017-14064\n CVE-2017-17405 CVE-2017-17742 CVE-2017-17790 CVE-2018-6914\n CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780\n CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077\n CVE-2018-1000078 CVE-2018-1000079\nDebian Bug : 851161\n\nMultiple vulnerabilities were found in the interpreter for the Ruby\nlanguage. The Common Vulnerabilities and Exposures project identifies the\nfollowing issues:\n\nCVE-2015-9096\n\n SMTP command injection in Net::SMTP via CRLF sequences in a RCPT TO\n or MAIL FROM command.\n\nCVE-2016-2339\n\n Exploitable heap overflow in Fiddle::Function.new.\n\nCVE-2016-7798\n\n Incorrect handling of initialization vector in the GCM mode in the\n OpenSSL extension.\n\nCVE-2017-0898\n\n Buffer underrun vulnerability in Kernel.sprintf.\n\nCVE-2017-0899\n\n ANSI escape sequence vulnerability in RubyGems.\n\nCVE-2017-0900\n\n DoS vulnerability in the RubyGems query command.\n\nCVE-2017-0901\n\n gem installer allowed a malicious gem to overwrite arbitrary files.\n\nCVE-2017-0902\n\n RubyGems DNS request hijacking vulnerability.\n\nCVE-2017-0903\n\n Max Justicz reported that RubyGems is prone to an unsafe object\n deserialization vulnerability. When parsed by an application which\n processes gems, a specially crafted YAML formatted gem specification\n can lead to remote code execution.\n\nCVE-2017-10784\n\n Yusuke Endoh discovered an escape sequence injection vulnerability in\n the Basic authentication of WEBrick. An attacker can take advantage of\n this flaw to inject malicious escape sequences to the WEBrick log and\n potentially execute control characters on the victim&#x27;s terminal\n emulator when reading logs.\n\nCVE-2017-14033\n\n asac reported a buffer underrun vulnerability in the OpenSSL\n extension. A remote attacker could take advantage of this flaw to\n cause the Ruby interpreter to crash leading to a denial of service.\n\nCVE-2017-14064\n\n Heap memory disclosure in the JSON library.\n\nCVE-2017-17405\n\n A command injection vulnerability in Net::FTP might allow a\n malicious FTP server to execute arbitrary commands.\n\nCVE-2017-17742\n\n Aaron Patterson reported that WEBrick bundled with Ruby was vulnerable\n to an HTTP response splitting vulnerability. It was possible for an\n attacker to inject fake HTTP responses if a script accepted an\n external input and output it without modifications.\n\nCVE-2017-17790\n\n A command injection vulnerability in lib/resolv.rb&#x27;s lazy_initialze\n might allow a command injection attack. However untrusted input to\n this function is rather unlikely.\n\nCVE-2018-6914\n\n ooooooo_q discovered a directory traversal vulnerability in the\n Dir.mktmpdir method in the tmpdir library. It made it possible for\n attackers to create arbitrary directories or files via a .. (dot dot)\n in the prefix argument.\n\nCVE-2018-8777\n\n Eric Wong reported an out-of-memory DoS vulnerability related to a\n large request in WEBrick bundled with Ruby.\n\nCVE-2018-8778\n\n aerodudrizzt found a buffer under-read vulnerability in the Ruby\n String#unpack method. If a big number was passed with the specifier @,\n the number was treated as a negative value, and an out-of-buffer read\n occurred. Attackers could read data on heaps if an script accepts an\n external input as the argument of String#unpack.\n\nCVE-2018-8779\n\n ooooooo_q reported that the UNIXServer.open and UNIXSocket.open\n methods of the socket library bundled with Ruby did not check for NUL\n bytes in the path argument. The lack of check made the methods\n vulnerable to unintentional socket creation and unintentional socket\n access.\n\nCVE-2018-8780\n\n ooooooo_q discovered an unintentional directory traversal in\n some methods in Dir, by the lack of checking for NUL bytes in their\n parameter.\n\nCVE-2018-1000075\n\n A negative size vulnerability in ruby gem package tar header that could\n cause an infinite loop.\n\nCVE-2018-1000076\n\n RubyGems package improperly verifies cryptographic signatures. A mis-signed\n gem could be installed if the tarball contains multiple gem signatures.\n\nCVE-2018-1000077\n\n An improper input validation vulnerability in RubyGems specification\n homepage attribute could allow malicious gem to set an invalid homepage\n URL.\n\nCVE-2018-1000078\n\n Cross Site Scripting (XSS) vulnerability in gem server display of homepage\n attribute.\n\nCVE-2018-1000079\n\n Path Traversal vulnerability during gem installation.\n\nFor Debian 8 &quot;Jessie&quot;, these problems have been fixed in version\n2.1.5-2+deb8u4.\n\nWe recommend that you upgrade your ruby2.1 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 10, "modified": "2018-07-14T06:29:07", "published": "2018-07-14T06:29:07", "id": "DEBIAN:DLA-1421-1:5BC60", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201807/msg00012.html", "title": "[SECURITY] [DLA 1421-1] ruby2.1 security update", "type": "debian", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:45:08", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0898", "CVE-2017-0899", "CVE-2017-0900", "CVE-2017-0901", "CVE-2017-0902", "CVE-2017-0903", "CVE-2017-10784", "CVE-2017-14064"], "description": "Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.\n\nThe following packages have been upgraded to a later upstream version: rh-ruby24-ruby (2.4.2). (BZ#1506785)\n\nSecurity Fix(es):\n\n* A buffer underflow was found in ruby's sprintf function. An attacker, with ability to control its format string parameter, could send a specially crafted string that would disclose heap memory or crash the interpreter. (CVE-2017-0898)\n\n* It was found that rubygems did not sanitize gem names during installation of a given gem. A specially crafted gem could use this flaw to install files outside of the regular directory. (CVE-2017-0901)\n\n* A vulnerability was found where rubygems did not sanitize DNS responses when requesting the hostname of the rubygems server for a domain, via a _rubygems._tcp DNS SRV query. An attacker with the ability to manipulate DNS responses could direct the gem command towards a different domain. (CVE-2017-0902)\n\n* A vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter. (CVE-2017-0903)\n\n* It was found that WEBrick did not sanitize all its log messages. If logs were printed in a terminal, an attacker could interact with the terminal via the use of escape sequences. (CVE-2017-10784)\n\n* A vulnerability was found where rubygems did not properly sanitize gems' specification text. A specially crafted gem could interact with the terminal via the use of escape sequences. (CVE-2017-0899)\n\n* It was found that rubygems could use an excessive amount of CPU while parsing a sufficiently long gem summary. A specially crafted gem from a gem repository could freeze gem commands attempting to parse its summary. (CVE-2017-0900)\n\n* A buffer overflow vulnerability was found in the JSON extension of ruby. An attacker with the ability to pass a specially crafted JSON input to the extension could use this flaw to expose the interpreter's heap memory. (CVE-2017-14064)", "modified": "2018-06-13T01:28:23", "published": "2017-12-19T13:13:07", "id": "RHSA-2017:3485", "href": "https://access.redhat.com/errata/RHSA-2017:3485", "type": "redhat", "title": "(RHSA-2017:3485) Moderate: rh-ruby24-ruby security, bug fix, and enhancement update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:47", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0898", "CVE-2017-0899", "CVE-2017-0900", "CVE-2017-0901", "CVE-2017-0902", "CVE-2017-0903", "CVE-2017-10784", "CVE-2017-14033", "CVE-2017-14064", "CVE-2017-17405", "CVE-2017-17790"], "description": "Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.\n\nThe following packages have been upgraded to a later upstream version: rh-ruby23-ruby (2.3.6), rh-ruby23-rubygems (2.5.2.2), rh-ruby23-rubygem-json (1.8.3.1), rh-ruby23-rubygem-minitest (5.8.5), rh-ruby23-rubygem-psych (2.1.0.1). (BZ#1549649)\n\nSecurity Fix(es):\n\n* ruby: Command injection vulnerability in Net::FTP (CVE-2017-17405)\n\n* ruby: Buffer underrun vulnerability in Kernel.sprintf (CVE-2017-0898)\n\n* rubygems: Arbitrary file overwrite due to incorrect validation of specification name (CVE-2017-0901)\n\n* rubygems: DNS hijacking vulnerability (CVE-2017-0902)\n\n* rubygems: Unsafe object deserialization through YAML formatted gem specifications (CVE-2017-0903)\n\n* ruby: Escape sequence injection vulnerability in the Basic authentication of WEBrick (CVE-2017-10784)\n\n* ruby: Buffer underrun in OpenSSL ASN1 decode (CVE-2017-14033)\n\n* rubygems: Escape sequence in the \"summary\" field of gemspec (CVE-2017-0899)\n\n* rubygems: No size limit in summary length of gem spec (CVE-2017-0900)\n\n* ruby: Arbitrary heap exposure during a JSON.generate call (CVE-2017-14064)\n\n* ruby: Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code execution (CVE-2017-17790)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2018-06-13T01:28:24", "published": "2018-03-26T13:13:23", "id": "RHSA-2018:0585", "href": "https://access.redhat.com/errata/RHSA-2018:0585", "type": "redhat", "title": "(RHSA-2018:0585) Important: rh-ruby23-ruby security, bug fix, and enhancement update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:50", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0898", "CVE-2017-0899", "CVE-2017-0900", "CVE-2017-0901", "CVE-2017-0902", "CVE-2017-0903", "CVE-2017-10784", "CVE-2017-14033", "CVE-2017-14064", "CVE-2017-17405", "CVE-2017-17790"], "description": "Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.\n\nSecurity Fix(es):\n\n* It was discovered that the Net::FTP module did not properly process filenames in combination with certain operations. A remote attacker could exploit this flaw to execute arbitrary commands by setting up a malicious FTP server and tricking a user or Ruby application into downloading files with specially crafted names using the Net::FTP module. (CVE-2017-17405)\n\n* A buffer underflow was found in ruby's sprintf function. An attacker, with ability to control its format string parameter, could send a specially crafted string that would disclose heap memory or crash the interpreter. (CVE-2017-0898)\n\n* It was found that rubygems did not sanitize gem names during installation of a given gem. A specially crafted gem could use this flaw to install files outside of the regular directory. (CVE-2017-0901)\n\n* A vulnerability was found where rubygems did not sanitize DNS responses when requesting the hostname of the rubygems server for a domain, via a _rubygems._tcp DNS SRV query. An attacker with the ability to manipulate DNS responses could direct the gem command towards a different domain. (CVE-2017-0902)\n\n* A vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter. (CVE-2017-0903)\n\n* It was found that WEBrick did not sanitize all its log messages. If logs were printed in a terminal, an attacker could interact with the terminal via the use of escape sequences. (CVE-2017-10784)\n\n* It was found that the decode method of the OpenSSL::ASN1 module was vulnerable to buffer underrun. An attacker could pass a specially crafted string to the application in order to crash the ruby interpreter, causing a denial of service. (CVE-2017-14033)\n\n* A vulnerability was found where rubygems did not properly sanitize gems' specification text. A specially crafted gem could interact with the terminal via the use of escape sequences. (CVE-2017-0899)\n\n* It was found that rubygems could use an excessive amount of CPU while parsing a sufficiently long gem summary. A specially crafted gem from a gem repository could freeze gem commands attempting to parse its summary. (CVE-2017-0900)\n\n* A buffer overflow vulnerability was found in the JSON extension of ruby. An attacker with the ability to pass a specially crafted JSON input to the extension could use this flaw to expose the interpreter's heap memory. (CVE-2017-14064)\n\n* The \"lazy_initialize\" function in lib/resolv.rb did not properly process certain filenames. A remote attacker could possibly exploit this flaw to inject and execute arbitrary commands. (CVE-2017-17790)", "modified": "2018-04-12T03:32:45", "published": "2018-02-28T21:24:33", "id": "RHSA-2018:0378", "href": "https://access.redhat.com/errata/RHSA-2018:0378", "type": "redhat", "title": "(RHSA-2018:0378) Important: ruby security update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:19", "bulletinFamily": "unix", "cvelist": ["CVE-2009-5147", "CVE-2015-7551", "CVE-2017-0898", "CVE-2017-0899", "CVE-2017-0900", "CVE-2017-0901", "CVE-2017-0902", "CVE-2017-0903", "CVE-2017-10784", "CVE-2017-14033", "CVE-2017-14064", "CVE-2017-17405", "CVE-2017-17790"], "description": "Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.\n\nThe following packages have been upgraded to a later upstream version: rh-ruby22-ruby (2.2.9), rh-ruby22-rubygems (2.4.5.4), rh-ruby22-rubygem-psych (2.0.8.1), rh-ruby22-rubygem-json (1.8.1.1). (BZ#1549646)\n\nSecurity Fix(es):\n\n* ruby: Command injection vulnerability in Net::FTP (CVE-2017-17405)\n\n* ruby: Buffer underrun vulnerability in Kernel.sprintf (CVE-2017-0898)\n\n* rubygems: Arbitrary file overwrite due to incorrect validation of specification name (CVE-2017-0901)\n\n* rubygems: DNS hijacking vulnerability (CVE-2017-0902)\n\n* rubygems: Unsafe object deserialization through YAML formatted gem specifications (CVE-2017-0903)\n\n* ruby: Escape sequence injection vulnerability in the Basic authentication of WEBrick (CVE-2017-10784)\n\n* ruby: Buffer underrun in OpenSSL ASN1 decode (CVE-2017-14033)\n\n* ruby: DL::dlopen could open a library with tainted library name (CVE-2009-5147, CVE-2015-7551)\n\n* rubygems: Escape sequence in the \"summary\" field of gemspec (CVE-2017-0899)\n\n* rubygems: No size limit in summary length of gem spec (CVE-2017-0900)\n\n* ruby: Arbitrary heap exposure during a JSON.generate call (CVE-2017-14064)\n\n* ruby: Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code execution (CVE-2017-17790)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2018-06-13T01:28:16", "published": "2018-03-26T13:12:14", "id": "RHSA-2018:0583", "href": "https://access.redhat.com/errata/RHSA-2018:0583", "type": "redhat", "title": "(RHSA-2018:0583) Important: rh-ruby22-ruby security, bug fix, and enhancement update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2020-12-08T03:38:53", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-17405", "CVE-2017-0903", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-0902", "CVE-2017-14033", "CVE-2017-17790", "CVE-2017-14064", "CVE-2017-0901"], "description": "**CentOS Errata and Security Advisory** CESA-2018:0378\n\n\nRuby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.\n\nSecurity Fix(es):\n\n* It was discovered that the Net::FTP module did not properly process filenames in combination with certain operations. A remote attacker could exploit this flaw to execute arbitrary commands by setting up a malicious FTP server and tricking a user or Ruby application into downloading files with specially crafted names using the Net::FTP module. (CVE-2017-17405)\n\n* A buffer underflow was found in ruby's sprintf function. An attacker, with ability to control its format string parameter, could send a specially crafted string that would disclose heap memory or crash the interpreter. (CVE-2017-0898)\n\n* It was found that rubygems did not sanitize gem names during installation of a given gem. A specially crafted gem could use this flaw to install files outside of the regular directory. (CVE-2017-0901)\n\n* A vulnerability was found where rubygems did not sanitize DNS responses when requesting the hostname of the rubygems server for a domain, via a _rubygems._tcp DNS SRV query. An attacker with the ability to manipulate DNS responses could direct the gem command towards a different domain. (CVE-2017-0902)\n\n* A vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter. (CVE-2017-0903)\n\n* It was found that WEBrick did not sanitize all its log messages. If logs were printed in a terminal, an attacker could interact with the terminal via the use of escape sequences. (CVE-2017-10784)\n\n* It was found that the decode method of the OpenSSL::ASN1 module was vulnerable to buffer underrun. An attacker could pass a specially crafted string to the application in order to crash the ruby interpreter, causing a denial of service. (CVE-2017-14033)\n\n* A vulnerability was found where rubygems did not properly sanitize gems' specification text. A specially crafted gem could interact with the terminal via the use of escape sequences. (CVE-2017-0899)\n\n* It was found that rubygems could use an excessive amount of CPU while parsing a sufficiently long gem summary. A specially crafted gem from a gem repository could freeze gem commands attempting to parse its summary. (CVE-2017-0900)\n\n* A buffer overflow vulnerability was found in the JSON extension of ruby. An attacker with the ability to pass a specially crafted JSON input to the extension could use this flaw to expose the interpreter's heap memory. (CVE-2017-14064)\n\n* The \"lazy_initialize\" function in lib/resolv.rb did not properly process certain filenames. A remote attacker could possibly exploit this flaw to inject and execute arbitrary commands. (CVE-2017-17790)\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2018-March/034829.html\n\n**Affected packages:**\nruby\nruby-devel\nruby-doc\nruby-irb\nruby-libs\nruby-tcltk\nrubygem-bigdecimal\nrubygem-io-console\nrubygem-json\nrubygem-minitest\nrubygem-psych\nrubygem-rake\nrubygem-rdoc\nrubygems\nrubygems-devel\n\n**Upstream details at:**\n", "edition": 4, "modified": "2018-03-10T11:53:01", "published": "2018-03-10T11:53:01", "href": "http://lists.centos.org/pipermail/centos-announce/2018-March/034829.html", "id": "CESA-2018:0378", "type": "centos", "title": "ruby, rubygem, rubygems security update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2020-10-22T17:10:58", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-17405", "CVE-2017-0903", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-0902", "CVE-2017-14033", "CVE-2017-17790", "CVE-2017-14064", "CVE-2017-0901"], "description": "[2.0.0.648-33]\n- Fix always passing WEBrick test.\n[2.0.0.648-32]\n- Add Psych.safe_load\n * ruby-2.1.0-there-should-be-only-one-exception.patch\n * ruby-2.1.0-Adding-Psych.safe_load.patch\n Related: CVE-2017-0903\n- Disable Tokyo TZ tests broken by recen tzdata update.\n * ruby-2.5.0-Disable-Tokyo-TZ-tests.patch\n Related: CVE-2017-0903\n[2.0.0.648-31]\n- Fix unsafe object deserialization in RubyGems (CVE-2017-0903).\n * ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization\n -vulnerability.patch\n Resolves: CVE-2017-0903\n- Fix an ANSI escape sequence vulnerability (CVE-2017-0899).\n Resolves: CVE-2017-0899\n- Fix a DOS vulernerability in the query command (CVE-2017-0900).\n Resolves: CVE-2017-0900\n- Fix a vulnerability in the gem installer that allowed a malicious gem\n to overwrite arbitrary files (CVE-2017-0901).\n Resolves: CVE-2017-0901\n- Fix a DNS request hijacking vulnerability (CVE-2017-0902).\n * ruby-2.2.8-lib-rubygems-fix-several-vulnerabilities-in-RubyGems.patch\n Resolves: CVE-2017-0902\n- Fix buffer underrun vulnerability in Kernel.sprintf (CVE-2017-0898).\n * ruby-2.2.8-Buffer-underrun-vulnerability-in-Kernel.sprintf.patch\n Resolves: CVE-2017-0898\n- Escape sequence injection vulnerability in the Basic\n authentication of WEBrick (CVE-2017-10784).\n * ruby-2.2.8-sanitize-any-type-of-logs.patch\n Resolves: CVE-2017-10784\n- Arbitrary heap exposure during a JSON.generate call (CVE-2017-14064).\n * ruby-2.2.8-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch\n Resolves: CVE-2017-14064\n- Command injection vulnerability in Net::FTP (CVE-2017-17405).\n * ruby-2.2.9-Fix-a-command-injection-vulnerability-in-Net-FTP.patch\n Resolves: CVE-2017-17405\n- Buffer underrun in OpenSSL ASN1 decode (CVE-2017-14033).\n * ruby-2.2.8-asn1-fix-out-of-bounds-read-in-decoding-constructed-objects.patch\n Resolves: CVE-2017-14033\n- Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code\n execution(CVE-2017-17790).\n * ruby-2.5.0-Fixed-command-Injection.patch\n Resolves: CVE-2017-17790", "edition": 5, "modified": "2018-02-28T00:00:00", "published": "2018-02-28T00:00:00", "id": "ELSA-2018-0378", "href": "http://linux.oracle.com/errata/ELSA-2018-0378.html", "title": "ruby security update", "type": "oraclelinux", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}