Lucene search

[email protected]NVD:CVE-2018-1000079

HistoryMar 13, 2018 - 3:29 p.m.

CVE-2018-1000079

2018-03-1315:29:00

CWE-22

[email protected]

web.nvd.nist.gov

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

AI Score

7.4

Confidence

High

EPSS

0.01

Percentile

83.9%

JSON

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.

Affected configurations

Nvd

Node

rubygemsrubygemsRange≤2.2.9

Node

rubygemsrubygemsRange≤2.3.6

Node

rubygemsrubygemsRange≤2.4.3

Node

rubygemsrubygemsRange≤2.5.0

VendorProductVersionCPE
rubygemsrubygems*cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
rubygems	rubygems	*	cpe:2.3:a:rubygems:rubygems::::::::

References

blog.rubygems.org/2018/02/15/2.7.6-released.html

lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html

access.redhat.com/errata/RHSA-2018:3729

access.redhat.com/errata/RHSA-2018:3730

access.redhat.com/errata/RHSA-2018:3731

access.redhat.com/errata/RHSA-2019:2028

access.redhat.com/errata/RHSA-2020:0542

access.redhat.com/errata/RHSA-2020:0591

access.redhat.com/errata/RHSA-2020:0663

github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099

github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759

lists.debian.org/debian-lts-announce/2018/07/msg00012.html

usn.ubuntu.com/3621-1/

www.debian.org/security/2018/dsa-4219

www.debian.org/security/2018/dsa-4259

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

AI Score

7.4

Confidence

High

EPSS

0.01

Percentile

83.9%

JSON

Related for NVD:CVE-2018-1000079

ubuntucve1 redhatcve1 osv5 prion1 rubygems1 cvelist1 debiancve1 cve1 github1 veracode1 nessus30 openvas17 fedora2 ubuntu2 debian4 mageia2 amazon3 redhat7 centos1 oraclelinux1 suse1