Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2017-0901

Опубликовано: 01 сент. 2017
Источник: redhat
CVSS3: 6.5

Описание

RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.

It was found that rubygems did not sanitize gem names during installation of a given gem. A specially crafted gem could use this flaw to install files outside of the regular directory.

Отчет

This issue affects the versions of ruby as shipped with Red Hat Enterprise Linux 6, and 7 and the versions of rh-ruby22-ruby and rh-ruby23-ruby as shipped with Red Hat Software Collections. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 6rubygemsWill not fix
Red Hat Enterprise MRG 2rubygemsUnder investigation
Red Hat Satellite 6rubygemsUnder investigation
Red Hat Subscription Asset Managerruby193-rubygemsUnder investigation
Red Hat Enterprise Linux 7rubyFixedRHSA-2018:037828.02.2018
Red Hat Software Collections for Red Hat Enterprise Linux 6rh-ruby24-rubyFixedRHSA-2017:348519.12.2017
Red Hat Software Collections for Red Hat Enterprise Linux 6rh-ruby22-rubyFixedRHSA-2018:058326.03.2018
Red Hat Software Collections for Red Hat Enterprise Linux 6rh-ruby23-rubyFixedRHSA-2018:058526.03.2018
Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUSrh-ruby24-rubyFixedRHSA-2017:348519.12.2017
Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUSrh-ruby22-rubyFixedRHSA-2018:058326.03.2018

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-138
https://bugzilla.redhat.com/show_bug.cgi?id=1487587rubygems: Arbitrary file overwrite due to incorrect validation of specification name

6.5 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2017-0901

CVSS3: 7.5
ubuntu
около 8 лет назад

RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.

nvd логотип

CVE-2017-0901

CVSS3: 7.5
nvd
около 8 лет назад

RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.

debian логотип

CVE-2017-0901

CVSS3: 7.5
debian
около 8 лет назад

RubyGems version 2.6.12 and earlier fails to validate specification na ...

github логотип

GHSA-pm9x-4392-2c2p

CVSS3: 7.5
github
больше 3 лет назад

RubyGems may allow a maliciously crafted gem to overwrite files

fstec логотип

BDU:2018-00026

CVSS3: 7.5
fstec
около 8 лет назад

Уязвимость менеджера пакетов rubygems, существующая из-за недостаточной проверки входных данных, позволяющая нарушителю осуществить перезапись любого файла

6.5 Medium

CVSS3