CVE-2017-0899 – rubygems-update

Package

Manager: gem
Name: rubygems-update
Vulnerable Version: >=0 <2.6.13

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.09672 pctl0.92606

Details

RubyGems Code Injection vulnerability RubyGems prior to 2.6.13 is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.

Metadata

Created: 2022-05-13T01:38:25Z
Modified: 2023-03-09T00:37:49Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7gcp-2gmq-w3xh/GHSA-7gcp-2gmq-w3xh.json
CWE IDs: ["CWE-150", "CWE-94"]
Alternative ID: GHSA-7gcp-2gmq-w3xh
Finding: F422
Auto approve: 1