Fluid Attacks Database

Description

RubyGems Improper Input Validation vulnerability RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem setting an invalid homepage URL. This vulnerability is fixed in 2.7.6.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.jruby:jruby-stdlib	>=0 <9.1.16.0	9.1.16.0
debian 11	rubygems	>=0 <3.2.0~rc.1-1	3.2.0~rc.1-1
debian 14	rubygems	>=0 <3.2.0~rc.1-1	3.2.0~rc.1-1
debian 12	rubygems	>=0 <3.2.0~rc.1-1	3.2.0~rc.1-1
debian 12	jruby	>=0 <9.1.17.0-1	9.1.17.0-1
debian 13	jruby	>=0 <9.1.17.0-1	9.1.17.0-1
rubygems	rubygems-update	>=0 <2.7.6	2.7.6
debian 14	jruby	>=0 <9.1.17.0-1	9.1.17.0-1
debian 13	rubygems	>=0 <3.2.0~rc.1-1	3.2.0~rc.1-1
rpm rhel6	rubygems	-	-

1-10 of 13

Aliases

1. CVE-2018-10000772. NVD-2018-10000773. OSV-2018-10000774. OSV-DEBIAN-2018-10000775. GCVE-2018-10000776. lists.debian.org7. lists.debian.org8. lists.debian.org9. lists.debian.org10. lists.debian.org11. access.redhat.com12. access.redhat.com13. access.redhat.com14. access.redhat.com15. access.redhat.com16. access.redhat.com17. access.redhat.com18. SECURITY-TRACKER-CVE-2018-1000077

References

1. https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f72. https://github.com/rubygems/rubygems/commit/5971b486d4dbb2bad5d3445b3801c456eb0ce1833. https://github.com/rubygems/rubygems/commit/feadefc2d351dcb95d6492f5ad17ebca546eb9644. https://www.debian.org/security/2018/dsa-42595. https://www.debian.org/security/2018/dsa-42196. https://usn.ubuntu.com/3621-17. http://blog.rubygems.org/2018/02/15/2.7.6-released.html8. http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html