CVE-2017-0903
Published: 11 October 2017
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
Notes
Author | Note |
---|---|
tyhicks | ruby{1.9.1,2.0,2.3} and jruby ship an embedded rubygems. |
leosilva | following http://www.openwall.com/lists/oss-security/2017/10/10/2, versions < 2.0.0 of ruby are not affected |
Priority
Status
Package | Release | Status |
---|---|---|
jruby Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
bionic |
Not vulnerable
(0.1.17.0-1~18.04)
|
|
cosmic |
Ignored
(end of life)
|
|
disco |
Not vulnerable
(0.1.17.0-1~18.04)
|
|
eoan |
Not vulnerable
(0.1.17.0-1~18.04)
|
|
focal |
Not vulnerable
(0.1.17.0-1~18.04)
|
|
zesty |
Ignored
(end of life)
|
|
trusty |
Needs triage
|
|
hirsute |
Not vulnerable
(0.1.17.0-1~18.04)
|
|
xenial |
Needed
|
|
groovy |
Not vulnerable
(0.1.17.0-1~18.04)
|
|
impish |
Not vulnerable
(0.1.17.0-1~18.04)
|
|
upstream |
Released
(0.1.17.0-1~18.04)
|
|
mantic |
Not vulnerable
(9.3.9.0+ds-1)
|
|
lunar |
Ignored
(end of life, was needs-triage)
|
|
ruby1.9.1 Launchpad, Ubuntu, Debian |
hirsute |
Does not exist
|
artful |
Does not exist
|
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
trusty |
Does not exist
(trusty was not-affected [code not present])
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
mantic |
Does not exist
|
|
ruby2.0 Launchpad, Ubuntu, Debian |
hirsute |
Does not exist
|
artful |
Does not exist
|
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
trusty |
Released
(2.0.0.484-1ubuntu2.10)
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
mantic |
Does not exist
|
|
ruby2.3 Launchpad, Ubuntu, Debian |
hirsute |
Does not exist
|
artful |
Released
(2.3.3-1ubuntu1.3)
|
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Released
(2.3.1-2~16.04.6)
|
|
zesty |
Ignored
(end of life)
|
|
mantic |
Does not exist
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0903
- http://blog.rubygems.org/2017/10/09/2.6.14-released.html
- http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
- https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49
- https://hackerone.com/reports/274990
- https://ubuntu.com/security/notices/USN-3553-1
- https://ubuntu.com/security/notices/USN-3685-1
- https://ubuntu.com/security/notices/USN-3685-2
- NVD
- Launchpad
- Debian