logo

Database

Lack of data validation - Path Traversal In rubygems

Description

RubyGems Path Traversal vulnerability RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem writing to arbitrary filesystem locations during installation. This attack appears to be exploitable via installation of a malicious gem. This vulnerability is fixed in 2.7.6.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

1-10 of 13

10

Aliases

1. CVE-2018-10000792. NVD-2018-10000793. OSV-DEBIAN-2018-10000794. OSV-2018-10000795. GCVE-2018-10000796. SECURITY-TRACKER-CVE-2018-10000797. lists.debian.org8. access.redhat.com9. access.redhat.com10. access.redhat.com11. access.redhat.com12. access.redhat.com13. access.redhat.com14. access.redhat.com

References

1. https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd7592. https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db9210993. https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f74. https://github.com/rubygems/rubygems/commit/5971b486d4dbb2bad5d3445b3801c456eb0ce1835. https://www.debian.org/security/2018/dsa-42596. https://www.debian.org/security/2018/dsa-42197. https://usn.ubuntu.com/3621-18. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=8957789. http://blog.rubygems.org/2018/02/15/2.7.6-released.html10. http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.