CVE-2017-0899

Опубликовано: 31 авг. 2017

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.

Ссылки

http://blog.rubygems.org/2017/08/27/2.6.13-released.html
Patch
Vendor Advisory
http://www.securityfocus.com/bid/100576
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1039249
Third Party Advisory
VDB Entry
https://access.redhat.com/errata/RHSA-2017:3485
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0378
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0583
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0585
Third Party Advisory
https://github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1
Patch
Third Party Advisory
https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491
Patch
Third Party Advisory
https://hackerone.com/reports/226335
Exploit
Patch
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
Mailing List
Third Party Advisory
https://security.gentoo.org/glsa/201710-01
Third Party Advisory
https://www.debian.org/security/2017/dsa-3966
Third Party Advisory
http://blog.rubygems.org/2017/08/27/2.6.13-released.html
Patch
Vendor Advisory
http://www.securityfocus.com/bid/100576
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1039249
Third Party Advisory
VDB Entry
https://access.redhat.com/errata/RHSA-2017:3485
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0378
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0583
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0585
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*

Версия до 2.6.12 (включая)

Конфигурация 2

Одно из

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

EPSS

Процентиль: 91%

0.07362

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-150

CWE-94

Связанные уязвимости

CVE-2017-0899

CVSS3: 9.8

ubuntu

около 8 лет назад

CVE-2017-0899

CVSS3: 4.3

redhat

около 8 лет назад

CVE-2017-0899

CVSS3: 9.8

debian

около 8 лет назад

RubyGems version 2.6.12 and earlier is vulnerable to maliciously craft ...

GHSA-7gcp-2gmq-w3xh

CVSS3: 9.8

github

больше 3 лет назад

RubyGems Code Injection vulnerability

ELSA-2018-0378

oracle-oval

больше 7 лет назад

ELSA-2018-0378: ruby security update (IMPORTANT)

EPSS

Процентиль: 91%

0.07362

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-150

CWE-94