Описание
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
A vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter.
Отчет
This issue did not affect the versions of rubygems as shipped with Red Hat Enterprise Linux 6. This issue affects the versions of ruby as shipped with Red Hat Enterprise Linux 7 and the versions of rh-ruby22-ruby and rh-ruby23-ruby as shipped with Red Hat Software Collections. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | rubygems | Not affected | ||
| Red Hat Enterprise MRG 2 | rubygems | Not affected | ||
| Red Hat Satellite 6 | rubygems | Not affected | ||
| Red Hat Subscription Asset Manager | ruby193-rubygems | Not affected | ||
| Red Hat Enterprise Linux 7 | ruby | Fixed | RHSA-2018:0378 | 28.02.2018 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | rh-ruby24-ruby | Fixed | RHSA-2017:3485 | 19.12.2017 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | rh-ruby22-ruby | Fixed | RHSA-2018:0583 | 26.03.2018 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | rh-ruby23-ruby | Fixed | RHSA-2018:0585 | 26.03.2018 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS | rh-ruby24-ruby | Fixed | RHSA-2017:3485 | 19.12.2017 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS | rh-ruby22-ruby | Fixed | RHSA-2018:0583 | 26.03.2018 |
Показывать по
Дополнительная информация
Статус:
5.6 Medium
CVSS3
Связанные уязвимости
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possibl ...
RubyGems vulnerable to Deserialization of Untrusted Data
5.6 Medium
CVSS3