Lucene search

GitHub Advisory DatabaseGHSA-7GCP-2GMQ-W3XH

HistoryMay 13, 2022 - 1:38 a.m.

RubyGems Code Injection vulnerability

2022-05-1301:38:25

CWE-94

CWE-150

GitHub Advisory Database

github.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.02 Low

EPSS

Percentile

88.8%

JSON

RubyGems prior to 2.6.13 is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.

CPENameOperatorVersion
rubygems-updatelt2.6.13

CPE	Name	Operator	Version
	rubygems-update	lt	2.6.13

References

blog.rubygems.org/2017/08/27/2.6.13-released.html

access.redhat.com/errata/RHSA-2017:3485

access.redhat.com/errata/RHSA-2018:0378

access.redhat.com/errata/RHSA-2018:0583

access.redhat.com/errata/RHSA-2018:0585

github.com/advisories/GHSA-7gcp-2gmq-w3xh

github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1

github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491

hackerone.com/reports/226335

lists.debian.org/debian-lts-announce/2018/07/msg00012.html

nvd.nist.gov/vuln/detail/CVE-2017-0899

security.gentoo.org/glsa/201710-01

web.archive.org/web/20170907215801/www.securitytracker.com/id/1039249

web.archive.org/web/20170915000000*/www.securityfocus.com/bid/100576#:~:text=1%20snapshot-,11%3A49%3A33,-Note

www.debian.org/security/2017/dsa-3966

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.02 Low

EPSS

Percentile

88.8%

JSON

Related for GHSA-7GCP-2GMQ-W3XH