Fluid Attacks Database

Description

RubyGems Code Injection vulnerability RubyGems prior to 2.6.13 is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
alpine v3.10	ruby	=1.8.7_p160-r2 \|\| =1.8.7_p160-r3 \|\| =1.8.7_p174-r0 \|\| =1.8.7_p174-r1 \|\| =1.8.7_p174-r2 \|\| =1.8.7_p174-r3 \|\| =1.8.7_p174-r4 \|\| =1.8.7_p174-r6 \|\| =1.8.7_p174-r7 \|\| =1.8.7_p299-r0 \|\| =1.8.7_p299-r1 \|\| =1.8.7_p299-r2 \|\| =1.8.7_p352-r0 \|\| =1.8.7_p352-r1 \|\| =1.8.7_p358-r1 \|\| =1.8.7_p72-r1 \|\| =1.8.7_p72-r2 \|\| =1.9.3_p194-r0 \|\| =1.9.3_p286-r0 \|\| =1.9.3_p286-r1 \|\| =1.9.3_p286-r2 \|\| =1.9.3_p327-r0 \|\| =1.9.3_p362-r0 \|\| =1.9.3_p374-r0 \|\| =1.9.3_p385-r0 \|\| =1.9.3_p392-r0 \|\| =2.0.0_p0-r0 \|\| =2.0.0_p0-r1 \|\| =2.0.0_p195-r0 \|\| =2.0.0_p247-r0 \|\| =2.0.0_p247-r1 \|\| =2.0.0_p247-r2 \|\| =2.0.0_p247-r3 \|\| =2.0.0_p353-r0 \|\| =2.0.0_p353-r1 \|\| =2.0.0_p353-r2 \|\| =2.0.0_p481-r0 \|\| =2.1.5-r0 \|\| =2.1.5-r1 \|\| =2.2.1-r0 \|\| =2.2.2-r0 \|\| =2.2.2-r1 \|\| =2.2.3-r0 \|\| =2.2.3-r1 \|\| =2.2.4-r0 \|\| =2.3.1-r0 \|\| =2.3.1-r1 \|\| =2.3.1-r2 \|\| =2.3.2-r0 \|\| =2.3.3-r0 \|\| =2.3.3-r1 \|\| =2.3.3-r2 \|\| =2.3.3-r3 \|\| =2.4.0-r3 \|\| =2.4.1-r1 \|\| =2.4.1-r2 \|\| =2.4.1-r3 \|\| =2.4.1-r4 \|\| =2.4.1-r5 \|\| >=0 <2.4.2-r0	2.4.2-r0
alpine v3.12	ruby	=1.8.7_p160-r2 \|\| =1.8.7_p160-r3 \|\| =1.8.7_p174-r0 \|\| =1.8.7_p174-r1 \|\| =1.8.7_p174-r2 \|\| =1.8.7_p174-r3 \|\| =1.8.7_p174-r4 \|\| =1.8.7_p174-r6 \|\| =1.8.7_p174-r7 \|\| =1.8.7_p299-r0 \|\| =1.8.7_p299-r1 \|\| =1.8.7_p299-r2 \|\| =1.8.7_p352-r0 \|\| =1.8.7_p352-r1 \|\| =1.8.7_p358-r1 \|\| =1.8.7_p72-r1 \|\| =1.8.7_p72-r2 \|\| =1.9.3_p194-r0 \|\| =1.9.3_p286-r0 \|\| =1.9.3_p286-r1 \|\| =1.9.3_p286-r2 \|\| =1.9.3_p327-r0 \|\| =1.9.3_p362-r0 \|\| =1.9.3_p374-r0 \|\| =1.9.3_p385-r0 \|\| =1.9.3_p392-r0 \|\| =2.0.0_p0-r0 \|\| =2.0.0_p0-r1 \|\| =2.0.0_p195-r0 \|\| =2.0.0_p247-r0 \|\| =2.0.0_p247-r1 \|\| =2.0.0_p247-r2 \|\| =2.0.0_p247-r3 \|\| =2.0.0_p353-r0 \|\| =2.0.0_p353-r1 \|\| =2.0.0_p353-r2 \|\| =2.0.0_p481-r0 \|\| =2.1.5-r0 \|\| =2.1.5-r1 \|\| =2.2.1-r0 \|\| =2.2.2-r0 \|\| =2.2.2-r1 \|\| =2.2.3-r0 \|\| =2.2.3-r1 \|\| =2.2.4-r0 \|\| =2.3.1-r0 \|\| =2.3.1-r1 \|\| =2.3.1-r2 \|\| =2.3.2-r0 \|\| =2.3.3-r0 \|\| =2.3.3-r1 \|\| =2.3.3-r2 \|\| =2.3.3-r3 \|\| =2.4.0-r3 \|\| =2.4.1-r1 \|\| =2.4.1-r2 \|\| =2.4.1-r3 \|\| =2.4.1-r4 \|\| =2.4.1-r5 \|\| >=0 <2.4.2-r0	2.4.2-r0
alpine v3.13	ruby	=1.8.7_p160-r2 \|\| =1.8.7_p160-r3 \|\| =1.8.7_p174-r0 \|\| =1.8.7_p174-r1 \|\| =1.8.7_p174-r2 \|\| =1.8.7_p174-r3 \|\| =1.8.7_p174-r4 \|\| =1.8.7_p174-r6 \|\| =1.8.7_p174-r7 \|\| =1.8.7_p299-r0 \|\| =1.8.7_p299-r1 \|\| =1.8.7_p299-r2 \|\| =1.8.7_p352-r0 \|\| =1.8.7_p352-r1 \|\| =1.8.7_p358-r1 \|\| =1.8.7_p72-r1 \|\| =1.8.7_p72-r2 \|\| =1.9.3_p194-r0 \|\| =1.9.3_p286-r0 \|\| =1.9.3_p286-r1 \|\| =1.9.3_p286-r2 \|\| =1.9.3_p327-r0 \|\| =1.9.3_p362-r0 \|\| =1.9.3_p374-r0 \|\| =1.9.3_p385-r0 \|\| =1.9.3_p392-r0 \|\| =2.0.0_p0-r0 \|\| =2.0.0_p0-r1 \|\| =2.0.0_p195-r0 \|\| =2.0.0_p247-r0 \|\| =2.0.0_p247-r1 \|\| =2.0.0_p247-r2 \|\| =2.0.0_p247-r3 \|\| =2.0.0_p353-r0 \|\| =2.0.0_p353-r1 \|\| =2.0.0_p353-r2 \|\| =2.0.0_p481-r0 \|\| =2.1.5-r0 \|\| =2.1.5-r1 \|\| =2.2.1-r0 \|\| =2.2.2-r0 \|\| =2.2.2-r1 \|\| =2.2.3-r0 \|\| =2.2.3-r1 \|\| =2.2.4-r0 \|\| =2.3.1-r0 \|\| =2.3.1-r1 \|\| =2.3.1-r2 \|\| =2.3.2-r0 \|\| =2.3.3-r0 \|\| =2.3.3-r1 \|\| =2.3.3-r2 \|\| =2.3.3-r3 \|\| =2.4.0-r3 \|\| =2.4.1-r1 \|\| =2.4.1-r2 \|\| =2.4.1-r3 \|\| =2.4.1-r4 \|\| =2.4.1-r5 \|\| >=0 <2.4.2-r0	2.4.2-r0
alpine v3.14	ruby	=1.8.7_p160-r2 \|\| =1.8.7_p160-r3 \|\| =1.8.7_p174-r0 \|\| =1.8.7_p174-r1 \|\| =1.8.7_p174-r2 \|\| =1.8.7_p174-r3 \|\| =1.8.7_p174-r4 \|\| =1.8.7_p174-r6 \|\| =1.8.7_p174-r7 \|\| =1.8.7_p299-r0 \|\| =1.8.7_p299-r1 \|\| =1.8.7_p299-r2 \|\| =1.8.7_p352-r0 \|\| =1.8.7_p352-r1 \|\| =1.8.7_p358-r1 \|\| =1.8.7_p72-r1 \|\| =1.8.7_p72-r2 \|\| =1.9.3_p194-r0 \|\| =1.9.3_p286-r0 \|\| =1.9.3_p286-r1 \|\| =1.9.3_p286-r2 \|\| =1.9.3_p327-r0 \|\| =1.9.3_p362-r0 \|\| =1.9.3_p374-r0 \|\| =1.9.3_p385-r0 \|\| =1.9.3_p392-r0 \|\| =2.0.0_p0-r0 \|\| =2.0.0_p0-r1 \|\| =2.0.0_p195-r0 \|\| =2.0.0_p247-r0 \|\| =2.0.0_p247-r1 \|\| =2.0.0_p247-r2 \|\| =2.0.0_p247-r3 \|\| =2.0.0_p353-r0 \|\| =2.0.0_p353-r1 \|\| =2.0.0_p353-r2 \|\| =2.0.0_p481-r0 \|\| =2.1.5-r0 \|\| =2.1.5-r1 \|\| =2.2.1-r0 \|\| =2.2.2-r0 \|\| =2.2.2-r1 \|\| =2.2.3-r0 \|\| =2.2.3-r1 \|\| =2.2.4-r0 \|\| =2.3.1-r0 \|\| =2.3.1-r1 \|\| =2.3.1-r2 \|\| =2.3.2-r0 \|\| =2.3.3-r0 \|\| =2.3.3-r1 \|\| =2.3.3-r2 \|\| =2.3.3-r3 \|\| =2.4.0-r3 \|\| =2.4.1-r1 \|\| =2.4.1-r2 \|\| =2.4.1-r3 \|\| =2.4.1-r4 \|\| =2.4.1-r5 \|\| >=0 <2.4.2-r0	2.4.2-r0
alpine v3.3	ruby	=1.8.7_p160-r2 \|\| =1.8.7_p160-r3 \|\| =1.8.7_p174-r0 \|\| =1.8.7_p174-r1 \|\| =1.8.7_p174-r2 \|\| =1.8.7_p174-r3 \|\| =1.8.7_p174-r4 \|\| =1.8.7_p174-r6 \|\| =1.8.7_p174-r7 \|\| =1.8.7_p299-r0 \|\| =1.8.7_p299-r1 \|\| =1.8.7_p299-r2 \|\| =1.8.7_p352-r1 \|\| =1.8.7_p352-r2 \|\| =1.8.7_p358-r1 \|\| =1.8.7_p72-r1 \|\| =1.8.7_p72-r2 \|\| =1.9.3_p194-r0 \|\| =1.9.3_p286-r0 \|\| =1.9.3_p286-r1 \|\| =1.9.3_p286-r2 \|\| =1.9.3_p327-r0 \|\| =1.9.3_p362-r0 \|\| =1.9.3_p374-r0 \|\| =1.9.3_p385-r0 \|\| =1.9.3_p392-r0 \|\| =2.0.0_p0-r0 \|\| =2.0.0_p0-r1 \|\| =2.0.0_p195-r0 \|\| =2.0.0_p247-r0 \|\| =2.0.0_p247-r1 \|\| =2.0.0_p247-r2 \|\| =2.0.0_p247-r3 \|\| =2.0.0_p353-r0 \|\| =2.0.0_p353-r1 \|\| =2.0.0_p353-r2 \|\| =2.0.0_p481-r0 \|\| =2.1.5-r0 \|\| =2.1.5-r1 \|\| =2.2.1-r0 \|\| =2.2.2-r0 \|\| =2.2.2-r1 \|\| =2.2.3-r0 \|\| =2.2.3-r1 \|\| =2.2.4-r0 \|\| >=0 <2.2.8-r0	2.2.8-r0
alpine v3.15	ruby	=1.8.7_p160-r2 \|\| =1.8.7_p160-r3 \|\| =1.8.7_p174-r0 \|\| =1.8.7_p174-r1 \|\| =1.8.7_p174-r2 \|\| =1.8.7_p174-r3 \|\| =1.8.7_p174-r4 \|\| =1.8.7_p174-r6 \|\| =1.8.7_p174-r7 \|\| =1.8.7_p299-r0 \|\| =1.8.7_p299-r1 \|\| =1.8.7_p299-r2 \|\| =1.8.7_p352-r0 \|\| =1.8.7_p352-r1 \|\| =1.8.7_p358-r1 \|\| =1.8.7_p72-r1 \|\| =1.8.7_p72-r2 \|\| =1.9.3_p194-r0 \|\| =1.9.3_p286-r0 \|\| =1.9.3_p286-r1 \|\| =1.9.3_p286-r2 \|\| =1.9.3_p327-r0 \|\| =1.9.3_p362-r0 \|\| =1.9.3_p374-r0 \|\| =1.9.3_p385-r0 \|\| =1.9.3_p392-r0 \|\| =2.0.0_p0-r0 \|\| =2.0.0_p0-r1 \|\| =2.0.0_p195-r0 \|\| =2.0.0_p247-r0 \|\| =2.0.0_p247-r1 \|\| =2.0.0_p247-r2 \|\| =2.0.0_p247-r3 \|\| =2.0.0_p353-r0 \|\| =2.0.0_p353-r1 \|\| =2.0.0_p353-r2 \|\| =2.0.0_p481-r0 \|\| =2.1.5-r0 \|\| =2.1.5-r1 \|\| =2.2.1-r0 \|\| =2.2.2-r0 \|\| =2.2.2-r1 \|\| =2.2.3-r0 \|\| =2.2.3-r1 \|\| =2.2.4-r0 \|\| =2.3.1-r0 \|\| =2.3.1-r1 \|\| =2.3.1-r2 \|\| =2.3.2-r0 \|\| =2.3.3-r0 \|\| =2.3.3-r1 \|\| =2.3.3-r2 \|\| =2.3.3-r3 \|\| =2.4.0-r3 \|\| =2.4.1-r1 \|\| =2.4.1-r2 \|\| =2.4.1-r3 \|\| =2.4.1-r4 \|\| =2.4.1-r5 \|\| >=0 <2.4.2-r0	2.4.2-r0
alpine v3.16	ruby	=1.8.7_p160-r2 \|\| =1.8.7_p160-r3 \|\| =1.8.7_p174-r0 \|\| =1.8.7_p174-r1 \|\| =1.8.7_p174-r2 \|\| =1.8.7_p174-r3 \|\| =1.8.7_p174-r4 \|\| =1.8.7_p174-r6 \|\| =1.8.7_p174-r7 \|\| =1.8.7_p299-r0 \|\| =1.8.7_p299-r1 \|\| =1.8.7_p299-r2 \|\| =1.8.7_p352-r0 \|\| =1.8.7_p352-r1 \|\| =1.8.7_p358-r1 \|\| =1.8.7_p72-r1 \|\| =1.8.7_p72-r2 \|\| =1.9.3_p194-r0 \|\| =1.9.3_p286-r0 \|\| =1.9.3_p286-r1 \|\| =1.9.3_p286-r2 \|\| =1.9.3_p327-r0 \|\| =1.9.3_p362-r0 \|\| =1.9.3_p374-r0 \|\| =1.9.3_p385-r0 \|\| =1.9.3_p392-r0 \|\| =2.0.0_p0-r0 \|\| =2.0.0_p0-r1 \|\| =2.0.0_p195-r0 \|\| =2.0.0_p247-r0 \|\| =2.0.0_p247-r1 \|\| =2.0.0_p247-r2 \|\| =2.0.0_p247-r3 \|\| =2.0.0_p353-r0 \|\| =2.0.0_p353-r1 \|\| =2.0.0_p353-r2 \|\| =2.0.0_p481-r0 \|\| =2.1.5-r0 \|\| =2.1.5-r1 \|\| =2.2.1-r0 \|\| =2.2.2-r0 \|\| =2.2.2-r1 \|\| =2.2.3-r0 \|\| =2.2.3-r1 \|\| =2.2.4-r0 \|\| =2.3.1-r0 \|\| =2.3.1-r1 \|\| =2.3.1-r2 \|\| =2.3.2-r0 \|\| =2.3.3-r0 \|\| =2.3.3-r1 \|\| =2.3.3-r2 \|\| =2.3.3-r3 \|\| =2.4.0-r3 \|\| =2.4.1-r1 \|\| =2.4.1-r2 \|\| =2.4.1-r3 \|\| =2.4.1-r4 \|\| =2.4.1-r5 \|\| >=0 <2.4.2-r0	2.4.2-r0
alpine v3.5	ruby	=1.8.7_p160-r2 \|\| =1.8.7_p160-r3 \|\| =1.8.7_p174-r0 \|\| =1.8.7_p174-r1 \|\| =1.8.7_p174-r2 \|\| =1.8.7_p174-r3 \|\| =1.8.7_p174-r4 \|\| =1.8.7_p174-r6 \|\| =1.8.7_p174-r7 \|\| =1.8.7_p299-r0 \|\| =1.8.7_p299-r1 \|\| =1.8.7_p299-r2 \|\| =1.8.7_p352-r1 \|\| =1.8.7_p352-r2 \|\| =1.8.7_p358-r1 \|\| =1.8.7_p72-r1 \|\| =1.8.7_p72-r2 \|\| =1.9.3_p194-r0 \|\| =1.9.3_p286-r0 \|\| =1.9.3_p286-r1 \|\| =1.9.3_p286-r2 \|\| =1.9.3_p327-r0 \|\| =1.9.3_p362-r0 \|\| =1.9.3_p374-r0 \|\| =1.9.3_p385-r0 \|\| =1.9.3_p392-r0 \|\| =2.0.0_p0-r0 \|\| =2.0.0_p0-r1 \|\| =2.0.0_p195-r0 \|\| =2.0.0_p247-r0 \|\| =2.0.0_p247-r1 \|\| =2.0.0_p247-r2 \|\| =2.0.0_p247-r3 \|\| =2.0.0_p353-r0 \|\| =2.0.0_p353-r1 \|\| =2.0.0_p353-r2 \|\| =2.0.0_p481-r0 \|\| =2.1.5-r0 \|\| =2.1.5-r1 \|\| =2.2.1-r0 \|\| =2.2.2-r0 \|\| =2.2.2-r1 \|\| =2.2.3-r0 \|\| =2.2.3-r1 \|\| =2.2.4-r0 \|\| =2.3.1-r0 \|\| =2.3.1-r1 \|\| =2.3.1-r2 \|\| =2.3.2-r0 \|\| =2.3.3-r0 \|\| >=0 <2.3.5-r0	2.3.5-r0
alpine v3.8	ruby	=1.8.7_p160-r2 \|\| =1.8.7_p160-r3 \|\| =1.8.7_p174-r0 \|\| =1.8.7_p174-r1 \|\| =1.8.7_p174-r2 \|\| =1.8.7_p174-r3 \|\| =1.8.7_p174-r4 \|\| =1.8.7_p174-r6 \|\| =1.8.7_p174-r7 \|\| =1.8.7_p299-r0 \|\| =1.8.7_p299-r1 \|\| =1.8.7_p299-r2 \|\| =1.8.7_p352-r0 \|\| =1.8.7_p352-r1 \|\| =1.8.7_p358-r1 \|\| =1.8.7_p72-r1 \|\| =1.8.7_p72-r2 \|\| =1.9.3_p194-r0 \|\| =1.9.3_p286-r0 \|\| =1.9.3_p286-r1 \|\| =1.9.3_p286-r2 \|\| =1.9.3_p327-r0 \|\| =1.9.3_p362-r0 \|\| =1.9.3_p374-r0 \|\| =1.9.3_p385-r0 \|\| =1.9.3_p392-r0 \|\| =2.0.0_p0-r0 \|\| =2.0.0_p0-r1 \|\| =2.0.0_p195-r0 \|\| =2.0.0_p247-r0 \|\| =2.0.0_p247-r1 \|\| =2.0.0_p247-r2 \|\| =2.0.0_p247-r3 \|\| =2.0.0_p353-r0 \|\| =2.0.0_p353-r1 \|\| =2.0.0_p353-r2 \|\| =2.0.0_p481-r0 \|\| =2.1.5-r0 \|\| =2.1.5-r1 \|\| =2.2.1-r0 \|\| =2.2.2-r0 \|\| =2.2.2-r1 \|\| =2.2.3-r0 \|\| =2.2.3-r1 \|\| =2.2.4-r0 \|\| =2.3.1-r0 \|\| =2.3.1-r1 \|\| =2.3.1-r2 \|\| =2.3.2-r0 \|\| =2.3.3-r0 \|\| =2.3.3-r1 \|\| =2.3.3-r2 \|\| =2.3.3-r3 \|\| =2.4.0-r3 \|\| =2.4.1-r1 \|\| =2.4.1-r2 \|\| =2.4.1-r3 \|\| =2.4.1-r4 \|\| =2.4.1-r5 \|\| >=0 <2.4.2-r0	2.4.2-r0
alpine v3.11	ruby	=1.8.7_p160-r2 \|\| =1.8.7_p160-r3 \|\| =1.8.7_p174-r0 \|\| =1.8.7_p174-r1 \|\| =1.8.7_p174-r2 \|\| =1.8.7_p174-r3 \|\| =1.8.7_p174-r4 \|\| =1.8.7_p174-r6 \|\| =1.8.7_p174-r7 \|\| =1.8.7_p299-r0 \|\| =1.8.7_p299-r1 \|\| =1.8.7_p299-r2 \|\| =1.8.7_p352-r0 \|\| =1.8.7_p352-r1 \|\| =1.8.7_p358-r1 \|\| =1.8.7_p72-r1 \|\| =1.8.7_p72-r2 \|\| =1.9.3_p194-r0 \|\| =1.9.3_p286-r0 \|\| =1.9.3_p286-r1 \|\| =1.9.3_p286-r2 \|\| =1.9.3_p327-r0 \|\| =1.9.3_p362-r0 \|\| =1.9.3_p374-r0 \|\| =1.9.3_p385-r0 \|\| =1.9.3_p392-r0 \|\| =2.0.0_p0-r0 \|\| =2.0.0_p0-r1 \|\| =2.0.0_p195-r0 \|\| =2.0.0_p247-r0 \|\| =2.0.0_p247-r1 \|\| =2.0.0_p247-r2 \|\| =2.0.0_p247-r3 \|\| =2.0.0_p353-r0 \|\| =2.0.0_p353-r1 \|\| =2.0.0_p353-r2 \|\| =2.0.0_p481-r0 \|\| =2.1.5-r0 \|\| =2.1.5-r1 \|\| =2.2.1-r0 \|\| =2.2.2-r0 \|\| =2.2.2-r1 \|\| =2.2.3-r0 \|\| =2.2.3-r1 \|\| =2.2.4-r0 \|\| =2.3.1-r0 \|\| =2.3.1-r1 \|\| =2.3.1-r2 \|\| =2.3.2-r0 \|\| =2.3.3-r0 \|\| =2.3.3-r1 \|\| =2.3.3-r2 \|\| =2.3.3-r3 \|\| =2.4.0-r3 \|\| =2.4.1-r1 \|\| =2.4.1-r2 \|\| =2.4.1-r3 \|\| =2.4.1-r4 \|\| =2.4.1-r5 \|\| >=0 <2.4.2-r0	2.4.2-r0

1-10 of 28

Aliases

1. CVE-2017-08992. NVD-2017-08993. OSV-ALPINE-2017-08994. OSV-2017-08995. OSV-DEBIAN-2017-08996. GCVE-2017-08997. SECURITY-CVE-2017-08998. access.redhat.com9. access.redhat.com10. access.redhat.com11. access.redhat.com12. lists.debian.org13. security.gentoo.org14. SECURITY-TRACKER-CVE-2017-0899

References

1. https://github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f12. https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a4913. https://hackerone.com/reports/2263354. https://web.archive.org/web/20170907215801/http://www.securitytracker.com/id/10392495. https://web.archive.org/web/20170915000000*/http://www.securityfocus.com/bid/100576#:~:text=1%20snapshot-,11%3A49%3A33,-Note6. https://www.debian.org/security/2017/dsa-39667. http://blog.rubygems.org/2017/08/27/2.6.13-released.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.