PublicDateAtUSN: 2018-03-13 Candidate: CVE-2018-1000078 PublicDate: 2018-03-13 15:29:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000078 https://github.com/rubygems/rubygems/commit/66a28b9275551384fdab45f3591a82d6b59952cb https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/ https://ubuntu.com/security/notices/USN-3621-1 Description: RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server. This vulnerability appears to have been fixed in 2.7.6. Ubuntu-Description: It was discovered that the RubyGems embedded in JRuby contained a Cross Site Scripting (XSS) vulnerability. If a victim were to browse a malicious gem on a vulnerable gem server, an attacker could execute arbitrary javascript in the victim's browser. Notes: tyhicks> ruby{1.9.1,2.0,2.3} and jruby ship an embedded rubygems. Bugs: Priority: medium Discovered-by: Assigned-to: CVSS: nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [6.1 MEDIUM] Patches_ruby1.9.1: upstream_ruby1.9.1: needs-triage precise/esm_ruby1.9.1: DNE trusty_ruby1.9.1: released (1.9.3.484-2ubuntu1.8) trusty/esm_ruby1.9.1: DNE (trusty was released [1.9.3.484-2ubuntu1.8]) xenial_ruby1.9.1: DNE artful_ruby1.9.1: DNE bionic_ruby1.9.1: DNE cosmic_ruby1.9.1: DNE disco_ruby1.9.1: DNE eoan_ruby1.9.1: DNE focal_ruby1.9.1: DNE groovy_ruby1.9.1: DNE hirsute_ruby1.9.1: DNE impish_ruby1.9.1: DNE jammy_ruby1.9.1: DNE devel_ruby1.9.1: DNE Patches_ruby2.0: upstream_ruby2.0: needs-triage precise/esm_ruby2.0: DNE trusty_ruby2.0: released (2.0.0.484-1ubuntu2.6) trusty/esm_ruby2.0: DNE (trusty was released [2.0.0.484-1ubuntu2.6]) xenial_ruby2.0: DNE artful_ruby2.0: DNE bionic_ruby2.0: DNE cosmic_ruby2.0: DNE disco_ruby2.0: DNE eoan_ruby2.0: DNE focal_ruby2.0: DNE groovy_ruby2.0: DNE hirsute_ruby2.0: DNE impish_ruby2.0: DNE jammy_ruby2.0: DNE devel_ruby2.0: DNE Patches_ruby2.3: upstream_ruby2.3: needs-triage precise/esm_ruby2.3: DNE trusty_ruby2.3: DNE trusty/esm_ruby2.3: DNE xenial_ruby2.3: released (2.3.1-2~16.04.7) esm-infra/xenial_ruby2.3: released (2.3.1-2~16.04.7) artful_ruby2.3: released (2.3.3-1ubuntu1.4) bionic_ruby2.3: DNE cosmic_ruby2.3: DNE disco_ruby2.3: DNE eoan_ruby2.3: DNE focal_ruby2.3: DNE groovy_ruby2.3: DNE hirsute_ruby2.3: DNE impish_ruby2.3: DNE jammy_ruby2.3: DNE devel_ruby2.3: DNE Patches_jruby: upstream_jruby: needs-triage precise/esm_jruby: DNE trusty_jruby: ignored (reached end-of-life) trusty/esm_jruby: needed xenial_jruby: ignored (end of standard support, was needs-triage) artful_jruby: ignored (reached end-of-life) bionic_jruby: needs-triage cosmic_jruby: ignored (reached end-of-life) disco_jruby: not-affected (9.1.17.0-2) eoan_jruby: not-affected (9.1.17.0-3) focal_jruby: not-affected (9.1.17.0-3) groovy_jruby: not-affected (9.1.17.0-3) hirsute_jruby: not-affected (9.1.17.0-3) impish_jruby: not-affected (9.1.17.0-3) Patches_ruby2.5: upstream_ruby2.5: needs-triage precise/esm_ruby2.5: DNE trusty_ruby2.5: DNE trusty/esm_ruby2.5: DNE xenial_ruby2.5: DNE artful_ruby2.5: DNE bionic_ruby2.5: released (2.5.1-1) cosmic_ruby2.5: released (2.5.1-1) disco_ruby2.5: released (2.5.1-1) eoan_ruby2.5: released (2.5.1-1) focal_ruby2.5: DNE groovy_ruby2.5: DNE hirsute_ruby2.5: DNE impish_ruby2.5: DNE jammy_ruby2.5: DNE devel_ruby2.5: DNE Patches_ruby2.1: upstream_ruby2.1: needs-triage precise/esm_ruby2.1: DNE trusty_ruby2.1: DNE trusty/esm_ruby2.1: DNE xenial_ruby2.1: DNE artful_ruby2.1: DNE bionic_ruby2.1: DNE cosmic_ruby2.1: DNE disco_ruby2.1: DNE eoan_ruby2.1: DNE focal_ruby2.1: DNE groovy_ruby2.1: DNE hirsute_ruby2.1: DNE impish_ruby2.1: DNE jammy_ruby2.1: DNE devel_ruby2.1: DNE