2169 matches found
FreeBSD : rubygems -- deserialization vulnerability (2c8bd00d-ada2-11e7-82af-8dbff7d75206)
oss-security mailing list : There is a possible unsafe object desrialization vulnerability in RubyGems. It is possible for YAML deserialization of gem specifications to bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution...
CVE-2017-0903
A vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter...
RubyGems Unsafe Object Deserialization Vulnerability
Exploit for linux platform in category remote exploits Unsafe Object Deserialization Vulnerability in RubyGems There is a possible unsafe object desrialization vulnerability in RubyGems. It is possible for YAML deserialization of gem specifications to bypass class white lists. Specially crafted...
GLSA-201710-01 : RubyGems: Multiple vulnerabilities
The remote host is affected by the vulnerability described in GLSA-201710-01 RubyGems: Multiple vulnerabilities Multiple vulnerabilities have been discovered in RubyGems. Please review the referenced CVE identifiers for details. Impact : A remote attacker, by enticing a user to install a speciall...
rubygems -- deserialization vulnerability
oss-security mailing list: There is a possible unsafe object desrialization vulnerability in RubyGems. It is possible for YAML deserialization of gem specifications to bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution...
Unsafe Object Deserialization Vulnerability in RubyGems
There is a possible unsafe object deserialization vulnerability in RubyGems. It is possible for YAML deserialization of gem specifications to bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution...
RubyGems: Multiple vulnerabilities
Background RubyGems is a sophisticated package manager for Ruby. Description Multiple vulnerabilities have been discovered in RubyGems. Please review the referenced CVE identifiers for details. Impact A remote attacker, by enticing a user to install a specially crafted gem, could possibly execute...
RubyGems: Gem signature forgery
Summary Inconsistencies in how gem processes gem files make it possible to reuse a signature from an existing signed gem and apply it to arbitrary contents. The forged gem will install even with -P HighSecurity. The attached file multijson-1.12.2.gem is a forged version of the genuine...
RubyGems: Remote code execution on rubygems.org
When parsing a gem POSTed to the /api/v1/gems endpoint, the rubygems.org application immediately calls Gem::Package.newbody.spec inside app/models/pusher.rb. The authors of the application correctly observed that parsing untrusted YAML is dangerous since it can serialize more or less arbitrary...
RubyGems: Request Hijacking Vulnerability in RubyGems 2.6.13 and earlier
We received this report via security@ from [email protected], I'm filing here for tracking and visibility purposes... "I was looking at commit 8d91516fb7037ecfb27622f605dc40245e0f8d32, which was the fix for the DNS hijacking issue CVE-2017-0902. The function still handles the DNS response in ...
Medium: ruby22, ruby23
Issue Overview: SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM commands in Net::SMTP A SMTP command injection flaw was found in the way Ruby's Net::SMTP module handled CRLF sequences in certain SMTP commands. An attacker could potentially use this flaw to inject SMTP commands i...
[SECURITY] Fedora 27 Update: rubygems-2.6.13-100.fc27
RubyGems is the Ruby standard for publishing and managing third party libraries...
[SECURITY] [DLA 1112-1] rubygems security update
Package : rubygems Version : 1.8.24-1+deb7u1 CVE ID : CVE-2017-0900 CVE-2017-0901 Debian Bug : 873802 Some vulnerabilities were found in the Rubygems package that affects the LTS distribution. CVE-2017-0900 DOS vulernerability in the query command CVE-2017-0901 gem installer allows a malicious ge...
Debian DLA-1112-1 : rubygems security update
Some vulnerabilities were found in the Rubygems package that affects the LTS distribution. CVE-2017-0900 DOS vulernerability in the query command CVE-2017-0901 gem installer allows a malicious gem to overwrite arbitrary files For Debian 7 'Wheezy', these problems have been fixed in version...
DLA-1112-1 rubygems - security update
Bulletin has no description...
RubyGems: Unpacker improperly validates symlinks, allowing gems writes to arbitrary locations
Unpacker improperly validates symlinks, allowing gems writes to arbitrary locations The RubyGems installer attempts to prevent a gem from writing any files outside the install directory; however it is possible to bypass the check with a symbolic link in a crafted gem. Example structure of malicio...
RubyGems: Installer can modify other gems if gem name is specially crafted
Installer can modify other gems if gem name is specially crafted The installlocation function allows writing to certain files outside the installation directory. The installlocation function in lib/rubygems/package.rb attempts to ensure that files are not installed outside destinationdir. However...
Fedora 26 : rubygems (2017-20214ad330)
Update to RubyGems 2.6.13. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. %NASLMINLEVEL 70300 C...
Fedora Update for rubygems FEDORA-2017-20214ad330
The remote host is missing an update for the SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
[SECURITY] Fedora 26 Update: rubygems-2.6.13-100.fc26
RubyGems is the Ruby standard for publishing and managing third party libraries...