Action not permitted
Modal body text goes here.
Modal Title
Modal Body
GHSA-8QXG-MFF5-J3WC
Vulnerability from github – Published: 2022-05-14 01:54 – Updated: 2023-03-10 02:32
VLAI?
Summary
RubyGems Path Traversal vulnerability
Details
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem writing to arbitrary filesystem locations during installation. This attack appears to be exploitable via installation of a malicious gem. This vulnerability is fixed in 2.7.6.
Severity ?
5.5 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rubygems-update"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jruby:jruby-stdlib"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.1.16.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-1000079"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-10T02:32:15Z",
"nvd_published_at": "2018-03-13T15:29:00Z",
"severity": "MODERATE"
},
"details": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem writing to arbitrary filesystem locations during installation. This attack appears to be exploitable via installation of a malicious gem. This vulnerability is fixed in 2.7.6.",
"id": "GHSA-8qxg-mff5-j3wc",
"modified": "2023-03-10T02:32:15Z",
"published": "2022-05-14T01:54:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000079"
},
{
"type": "WEB",
"url": "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759"
},
{
"type": "WEB",
"url": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099"
},
{
"type": "WEB",
"url": "https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7"
},
{
"type": "WEB",
"url": "https://github.com/rubygems/rubygems/commit/5971b486d4dbb2bad5d3445b3801c456eb0ce183"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4259"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4219"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3621-1"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2018-1000079"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0663"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0591"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0542"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2028"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3731"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3730"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3729"
},
{
"type": "WEB",
"url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "RubyGems Path Traversal vulnerability"
}
GSD-2018-1000079
Vulnerability from gsd - Updated: 2022-05-14 00:00Details
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and
earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability
in gem installation that can result in the gem writing to arbitrary filesystem locations
during installation. This attack appears to be exploitable via installation of a
malicious gem. This vulnerability is fixed in 2.7.6.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2018-1000079",
"description": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.",
"id": "GSD-2018-1000079",
"references": [
"https://www.suse.com/security/cve/CVE-2018-1000079.html",
"https://www.debian.org/security/2018/dsa-4259",
"https://www.debian.org/security/2018/dsa-4219",
"https://access.redhat.com/errata/RHSA-2020:0663",
"https://access.redhat.com/errata/RHSA-2020:0591",
"https://access.redhat.com/errata/RHSA-2020:0542",
"https://access.redhat.com/errata/RHSA-2019:2028",
"https://access.redhat.com/errata/RHSA-2018:3731",
"https://access.redhat.com/errata/RHSA-2018:3730",
"https://access.redhat.com/errata/RHSA-2018:3729",
"https://ubuntu.com/security/CVE-2018-1000079",
"https://advisories.mageia.org/CVE-2018-1000079.html",
"https://alas.aws.amazon.com/cve/html/CVE-2018-1000079.html",
"https://linux.oracle.com/cve/CVE-2018-1000079.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rubygems-update",
"purl": "pkg:gem/rubygems-update"
}
}
],
"aliases": [
"CVE-2018-1000079",
"GHSA-8qxg-mff5-j3wc"
],
"details": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:\n2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and\nearlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability\nin gem installation that can result in the gem writing to arbitrary filesystem locations\nduring installation. This attack appears to be exploitable via installation of a\nmalicious gem. This vulnerability is fixed in 2.7.6.\n",
"id": "GSD-2018-1000079",
"modified": "2022-05-14T00:00:00.000Z",
"published": "2022-05-14T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099"
},
{
"type": "WEB",
"url": "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3729"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3730"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3731"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2028"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0542"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0591"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0663"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3621-1/"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4219"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4259"
},
{
"type": "WEB",
"url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"
},
{
"type": "WEB",
"url": "https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7"
},
{
"type": "WEB",
"url": "https://github.com/rubygems/rubygems/commit/5971b486d4dbb2bad5d3445b3801c456eb0ce183"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2018-1000079"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 5.5,
"type": "CVSS_V3"
}
],
"summary": "RubyGems Path Traversal vulnerability"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2/18/2018 8:11:09",
"ID": "CVE-2018-1000079",
"REQUESTER": "craig.ingram@salesforce.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-4219",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4219"
},
{
"name": "USN-3621-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3621-1/"
},
{
"name": "RHSA-2018:3729",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3729"
},
{
"name": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099",
"refsource": "MISC",
"url": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099"
},
{
"name": "RHSA-2018:3730",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3730"
},
{
"name": "RHSA-2018:3731",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3731"
},
{
"name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
},
{
"name": "DSA-4259",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4259"
},
{
"name": "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759",
"refsource": "MISC",
"url": "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759"
},
{
"name": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html",
"refsource": "MISC",
"url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html"
},
{
"name": "openSUSE-SU-2019:1771",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"
},
{
"name": "RHSA-2019:2028",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:2028"
},
{
"name": "RHSA-2020:0542",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0542"
},
{
"name": "RHSA-2020:0591",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0591"
},
{
"name": "RHSA-2020:0663",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0663"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2018-1000079",
"cvss_v3": 5.5,
"date": "2022-05-14",
"description": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:\n2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and\nearlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability\nin gem installation that can result in the gem writing to arbitrary filesystem locations\nduring installation. This attack appears to be exploitable via installation of a\nmalicious gem. This vulnerability is fixed in 2.7.6.\n",
"gem": "rubygems-update",
"ghsa": "8qxg-mff5-j3wc",
"patched_versions": [
"\u003e= 2.7.6"
],
"related": {
"url": [
"https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759",
"https://access.redhat.com/errata/RHSA-2018:3729",
"https://access.redhat.com/errata/RHSA-2018:3730",
"https://access.redhat.com/errata/RHSA-2018:3731",
"https://access.redhat.com/errata/RHSA-2019:2028",
"https://access.redhat.com/errata/RHSA-2020:0542",
"https://access.redhat.com/errata/RHSA-2020:0591",
"https://access.redhat.com/errata/RHSA-2020:0663",
"https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html",
"https://usn.ubuntu.com/3621-1/",
"https://www.debian.org/security/2018/dsa-4219",
"https://www.debian.org/security/2018/dsa-4259",
"http://blog.rubygems.org/2018/02/15/2.7.6-released.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html",
"https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7",
"https://github.com/rubygems/rubygems/commit/5971b486d4dbb2bad5d3445b3801c456eb0ce183",
"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778",
"https://security-tracker.debian.org/tracker/CVE-2018-1000079"
]
},
"title": "RubyGems Path Traversal vulnerability",
"url": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e2.2.9 \u003c=2.5.0",
"affected_versions": "All versions after 2.2.9 up to 2.5.0",
"cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-22",
"CWE-937"
],
"date": "2018-11-30",
"description": "RubyGems contains a Directory Traversal vulnerability in gem installation that can result in the gem being able to write to arbitrary filesystem locations during installation. This attack appears to be exploitable by a victim installing a malicious gem.",
"fixed_versions": [
"2.5.1"
],
"identifier": "CVE-2018-1000079",
"identifiers": [
"CVE-2018-1000079"
],
"not_impacted": "All versions up to 2.2.9, all versions after 2.5.0",
"package_slug": "gem/rubygems-update",
"pubdate": "2018-03-13",
"solution": "Upgrade to version 2.5.1 or above.",
"title": "Path Traversal",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2018-1000079",
"http://blog.rubygems.org/2018/02/15/2.7.6-released.html"
],
"uuid": "bab32120-5af7-4031-ad8b-f4f7a28cb972"
},
{
"affected_range": "(,9.1.16.0)",
"affected_versions": "All versions before 9.1.16.0",
"cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-22",
"CWE-937"
],
"date": "2023-03-10",
"description": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.",
"fixed_versions": [
"9.1.16.0"
],
"identifier": "CVE-2018-1000079",
"identifiers": [
"GHSA-8qxg-mff5-j3wc",
"CVE-2018-1000079"
],
"not_impacted": "All versions starting from 9.1.16.0",
"package_slug": "maven/org.jruby/jruby-stdlib",
"pubdate": "2022-05-14",
"solution": "Upgrade to version 9.1.16.0 or above.",
"title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2018-1000079",
"https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099",
"https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759",
"https://access.redhat.com/errata/RHSA-2018:3729",
"https://access.redhat.com/errata/RHSA-2018:3730",
"https://access.redhat.com/errata/RHSA-2018:3731",
"https://access.redhat.com/errata/RHSA-2019:2028",
"https://access.redhat.com/errata/RHSA-2020:0542",
"https://access.redhat.com/errata/RHSA-2020:0591",
"https://access.redhat.com/errata/RHSA-2020:0663",
"https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html",
"https://usn.ubuntu.com/3621-1/",
"https://www.debian.org/security/2018/dsa-4219",
"https://www.debian.org/security/2018/dsa-4259",
"http://blog.rubygems.org/2018/02/15/2.7.6-released.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html",
"https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7",
"https://github.com/rubygems/rubygems/commit/5971b486d4dbb2bad5d3445b3801c456eb0ce183",
"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778",
"https://security-tracker.debian.org/tracker/CVE-2018-1000079",
"https://github.com/advisories/GHSA-8qxg-mff5-j3wc"
],
"uuid": "a7b78a38-5efa-4682-a2c0-87c33db63da5"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.2.9",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.3.6",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.4.3",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.5.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-1000079"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759"
},
{
"name": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099"
},
{
"name": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html",
"refsource": "MISC",
"tags": [
"Vendor Advisory"
],
"url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html"
},
{
"name": "USN-3621-1",
"refsource": "UBUNTU",
"tags": [],
"url": "https://usn.ubuntu.com/3621-1/"
},
{
"name": "DSA-4219",
"refsource": "DEBIAN",
"tags": [],
"url": "https://www.debian.org/security/2018/dsa-4219"
},
{
"name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update",
"refsource": "MLIST",
"tags": [],
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
},
{
"name": "DSA-4259",
"refsource": "DEBIAN",
"tags": [],
"url": "https://www.debian.org/security/2018/dsa-4259"
},
{
"name": "RHSA-2018:3731",
"refsource": "REDHAT",
"tags": [],
"url": "https://access.redhat.com/errata/RHSA-2018:3731"
},
{
"name": "RHSA-2018:3730",
"refsource": "REDHAT",
"tags": [],
"url": "https://access.redhat.com/errata/RHSA-2018:3730"
},
{
"name": "RHSA-2018:3729",
"refsource": "REDHAT",
"tags": [],
"url": "https://access.redhat.com/errata/RHSA-2018:3729"
},
{
"name": "openSUSE-SU-2019:1771",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"
},
{
"name": "RHSA-2019:2028",
"refsource": "REDHAT",
"tags": [],
"url": "https://access.redhat.com/errata/RHSA-2019:2028"
},
{
"name": "RHSA-2020:0542",
"refsource": "REDHAT",
"tags": [],
"url": "https://access.redhat.com/errata/RHSA-2020:0542"
},
{
"name": "RHSA-2020:0591",
"refsource": "REDHAT",
"tags": [],
"url": "https://access.redhat.com/errata/RHSA-2020:0591"
},
{
"name": "RHSA-2020:0663",
"refsource": "REDHAT",
"tags": [],
"url": "https://access.redhat.com/errata/RHSA-2020:0663"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6
}
},
"lastModifiedDate": "2018-11-30T11:29Z",
"publishedDate": "2018-03-13T15:29Z"
}
}
}
CVE-2018-1000079 (GCVE-0-2018-1000079)
Vulnerability from cvelistv5 – Published: 2018-03-13 15:00 – Updated: 2024-08-05 12:33
VLAI?
EPSS
Summary
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:33:49.201Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-4219",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4219"
},
{
"name": "USN-3621-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3621-1/"
},
{
"name": "RHSA-2018:3729",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3729"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099"
},
{
"name": "RHSA-2018:3730",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3730"
},
{
"name": "RHSA-2018:3731",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3731"
},
{
"name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
},
{
"name": "DSA-4259",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4259"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html"
},
{
"name": "openSUSE-SU-2019:1771",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"
},
{
"name": "RHSA-2019:2028",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2028"
},
{
"name": "RHSA-2020:0542",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0542"
},
{
"name": "RHSA-2020:0591",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0591"
},
{
"name": "RHSA-2020:0663",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0663"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2018-02-18T00:00:00",
"datePublic": "2018-03-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-03T18:06:18",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "DSA-4219",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4219"
},
{
"name": "USN-3621-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3621-1/"
},
{
"name": "RHSA-2018:3729",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3729"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099"
},
{
"name": "RHSA-2018:3730",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3730"
},
{
"name": "RHSA-2018:3731",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3731"
},
{
"name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
},
{
"name": "DSA-4259",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4259"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html"
},
{
"name": "openSUSE-SU-2019:1771",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"
},
{
"name": "RHSA-2019:2028",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2028"
},
{
"name": "RHSA-2020:0542",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0542"
},
{
"name": "RHSA-2020:0591",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0591"
},
{
"name": "RHSA-2020:0663",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0663"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2/18/2018 8:11:09",
"ID": "CVE-2018-1000079",
"REQUESTER": "craig.ingram@salesforce.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-4219",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4219"
},
{
"name": "USN-3621-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3621-1/"
},
{
"name": "RHSA-2018:3729",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3729"
},
{
"name": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099",
"refsource": "MISC",
"url": "https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099"
},
{
"name": "RHSA-2018:3730",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3730"
},
{
"name": "RHSA-2018:3731",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3731"
},
{
"name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
},
{
"name": "DSA-4259",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4259"
},
{
"name": "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759",
"refsource": "MISC",
"url": "https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759"
},
{
"name": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html",
"refsource": "MISC",
"url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html"
},
{
"name": "openSUSE-SU-2019:1771",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"
},
{
"name": "RHSA-2019:2028",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:2028"
},
{
"name": "RHSA-2020:0542",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0542"
},
{
"name": "RHSA-2020:0591",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0591"
},
{
"name": "RHSA-2020:0663",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0663"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000079",
"datePublished": "2018-03-13T15:00:00",
"dateReserved": "2018-02-21T00:00:00",
"dateUpdated": "2024-08-05T12:33:49.201Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…