Lucene search

RubySecRUBY:RUBYGEMS-UPDATE-2018-1000078

HistoryMay 13, 2022 - 9:00 p.m.

RubyGems Cross-site Scripting vulnerability

2022-05-1321:00:00

RubySec

github.com

rubygems

xss

vulnerability

ruby 2.2

ruby 2.3

ruby 2.4

ruby 2.5

gem server

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

JSON

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and
earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability
in gem server display of homepage attribute that can result in XSS. This attack
requires the victim to browse to a malicious gem on a vulnerable gem server. This
vulnerability is fixed in 2.7.6.

Affected configurations

Vulners

Node

rubyrubygems-updateRange≤2.7.6

VendorProductVersionCPE
rubyrubygems-update*cpe:2.3:a:ruby:rubygems-update:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ruby	rubygems-update	*	cpe:2.3:a:ruby:rubygems-update::::::::

References

github.com/rubygems/rubygems/commit/66a28b9275551384fdab45f3591a82d6b59952cb

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

JSON

Related for RUBY:RUBYGEMS-UPDATE-2018-1000078