Fluid Attacks Database

Description

RubyGems vulnerable to Deserialization of Untrusted Data RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution. The issue has been patched in 2.6.14.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rubygems	rubygems-update	>=2.0.0 <2.6.14	2.6.14
debian 14	rubygems	>=0 <3.2.0~rc.1-1	3.2.0~rc.1-1
debian 13	rubygems	>=0 <3.2.0~rc.1-1	3.2.0~rc.1-1
debian 12	rubygems	>=0 <3.2.0~rc.1-1	3.2.0~rc.1-1
debian 11	rubygems	>=0 <3.2.0~rc.1-1	3.2.0~rc.1-1
rpm rhel7	ruby	<0:2.0.0.648-33.el7_4	0:2.0.0.648-33.el7_4

Aliases

1. CVE-2017-09032. NVD-2017-09033. OSV-2017-09034. OSV-DEBIAN-2017-09035. GCVE-2017-09036. access.redhat.com7. access.redhat.com8. access.redhat.com9. access.redhat.com10. lists.debian.org11. SECURITY-TRACKER-CVE-2017-0903

References

1. https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab492. https://hackerone.com/reports/2749903. https://usn.ubuntu.com/3553-14. https://usn.ubuntu.com/3685-15. https://web.archive.org/web/20200227143351/http://www.securityfocus.com/bid/1012756. https://www.debian.org/security/2017/dsa-40317. http://blog.rubygems.org/2017/10/09/2.6.14-released.html8. http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html