CVE-2017-0902
published 2017-08-31CVE-2017-0902: RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and…
high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | rubygems | < rubygems 3.2.0~rc.1-1 (bookworm) | rubygems 3.2.0~rc.1-1 (bookworm) |
| hackerone | rubygems | — | — |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_server_aus | — | — |
| redhat | enterprise_linux_server_aus | — | — |
| redhat | enterprise_linux_server_eus | — | — |
| redhat | enterprise_linux_server_eus | — | — |
| redhat | enterprise_linux_server_eus | — | — |
| redhat | enterprise_linux_server_tus | — | — |
| redhat | enterprise_linux_server_tus | — | — |
| redhat | enterprise_linux_workstation | — | — |
| rubygems | rubygems | <= 2.6.12 | — |
| rubygems | rubygems | >= 0 < 3.2.0~rc.1-1 | 3.2.0~rc.1-1 |
| rubygems | rubygems | >= 0 < 3.2.0~rc.1-1 | 3.2.0~rc.1-1 |
| rubygems | rubygems | >= 0 < 3.2.0~rc.1-1 | 3.2.0~rc.1-1 |
| rubygems | rubygems | >= 0 < 3.2.0~rc.1-1 | 3.2.0~rc.1-1 |
CVSS provenance
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.1CRITICAL
OSV
RubyGems has Origin Validation Error vulnerability
osv·2022-05-13
CVE-2017-0902 [HIGH] RubyGems has Origin Validation Error vulnerability
RubyGems has Origin Validation Error vulnerability
RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.
GHSA
RubyGems has Origin Validation Error vulnerability
ghsa·2022-05-13
CVE-2017-0902 [HIGH] CWE-346 RubyGems has Origin Validation Error vulnerability
RubyGems has Origin Validation Error vulnerability
RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.
OSV
ruby2.0 regression
osv·2021-03-25·CVSS 9.1
CVE-2017-0903 [CRITICAL] ruby2.0 regression
ruby2.0 regression
USN-3685-1 fixed a vulnerability in Ruby. The fix for CVE-2017-0903 introduced
a regression in Ruby. This update fixes the problem.
Original advisory details:
Some of these CVE were already addressed in previous
USN: 3439-1, 3553-1, 3528-1. Here we address for
the remain releases.
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to cause a buffer overrun. (CVE-2017-0898)
It was discovered that Ruby incorrectly handled certain files.
An attacker could use this to overwrite any file on the filesystem.
(CVE-2017-0901)
It was discovered that Ruby was vulnerable to a DNS hijacking vulnerability.
An attacker could use this to possibly force the RubyGems client to download
and install gems from a server that the attacker controls.
OSV
ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities
osv·2018-06-13·CVSS 9.1
CVE-2017-0898 [CRITICAL] ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities
ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities
Some of these CVE were already addressed in previous
USN: 3439-1, 3553-1, 3528-1. Here we address for
the remain releases.
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to cause a buffer overrun. (CVE-2017-0898)
It was discovered that Ruby incorrectly handled certain files.
An attacker could use this to overwrite any file on the filesystem.
(CVE-2017-0901)
It was discovered that Ruby was vulnerable to a DNS hijacking vulnerability.
An attacker could use this to possibly force the RubyGems client to download
and install gems from a server that the attacker controls. (CVE-2017-0902)
It was discovered that Ruby incorrectly handled certain YAML files.
An attacker could use this to possibly execute arb
OSV
ruby2.3 vulnerabilities
osv·2018-01-31·CVSS 7.5
CVE-2017-0901 [HIGH] ruby2.3 vulnerabilities
ruby2.3 vulnerabilities
It was discovered that Ruby failed to validate specification names.
An attacker could possibly use a maliciously crafted gem to potentially
overwrite any file on the filesystem. (CVE-2017-0901)
It was discovered that Ruby was vulnerable to a DNS hijacking vulnerability.
An attacker could use this to possibly force the RubyGems client to download
and install gems from a server that the attacker controls. (CVE-2017-0902)
It was discovered that Ruby incorrectly handled certain YAML files. An attacker could
use this to possibly execute arbitrary code. (CVE-2017-0903)
OSV
CVE-2017-0902: RubyGems version 2
osv·2017-08-31·CVSS 8.1
CVE-2017-0902 [HIGH] CVE-2017-0902: RubyGems version 2
RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.
Ubuntu
Ruby regression
vendor_ubuntu·2021-03-25·CVSS 9.1
CVE-2017-0903 [CRITICAL] Ruby regression
Title: Ruby regression
Summary: USN-3685-1 introduced a regression in Ruby.
USN-3685-1 fixed a vulnerability in Ruby. The fix for CVE-2017-0903 introduced
a regression in Ruby. This update fixes the problem.
Original advisory details:
Some of these CVE were already addressed in previous
USN: 3439-1, 3553-1, 3528-1. Here we address for
the remain releases.
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to cause a buffer overrun. (CVE-2017-0898)
It was discovered that Ruby incorrectly handled certain files.
An attacker could use this to overwrite any file on the filesystem.
(CVE-2017-0901)
It was discovered that Ruby was vulnerable to a DNS hijacking vulnerability.
An attacker could use this to possibly force the RubyGems client to download
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2018-06-13·CVSS 9.1
CVE-2017-0898 [CRITICAL] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
Some of these CVE were already addressed in previous
USN: 3439-1, 3553-1, 3528-1. Here we address for
the remain releases.
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to cause a buffer overrun. (CVE-2017-0898)
It was discovered that Ruby incorrectly handled certain files.
An attacker could use this to overwrite any file on the filesystem.
(CVE-2017-0901)
It was discovered that Ruby was vulnerable to a DNS hijacking vulnerability.
An attacker could use this to possibly force the RubyGems client to download
and install gems from a server that the attacker controls. (CVE-2017-0902)
It was discovered that Ruby incorrectly handled certain YAML files.
An attacker
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2018-01-31·CVSS 7.5
CVE-2017-0901 [HIGH] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
It was discovered that Ruby failed to validate specification names.
An attacker could possibly use a maliciously crafted gem to potentially
overwrite any file on the filesystem. (CVE-2017-0901)
It was discovered that Ruby was vulnerable to a DNS hijacking vulnerability.
An attacker could use this to possibly force the RubyGems client to download
and install gems from a server that the attacker controls. (CVE-2017-0902)
It was discovered that Ruby incorrectly handled certain YAML files. An attacker could
use this to possibly execute arbitrary code. (CVE-2017-0903)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
rubygems: DNS hijacking vulnerability
vendor_redhat·2017-08-31·CVSS 8.1
CVE-2017-0902 [HIGH] CWE-138 rubygems: DNS hijacking vulnerability
rubygems: DNS hijacking vulnerability
RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.
A vulnerability was found where rubygems did not sanitize DNS responses when requesting the hostname of the rubygems server for a domain, via a _rubygems._tcp DNS SRV query. An attacker with the ability to manipulate DNS responses could direct the gem command towards a different domain.
Statement: This issue affects the versions of ruby as shipped with Red Hat Enterprise Linux 6, and 7 and the versions of rh-ruby22-ruby and rh-ruby23-ruby as shipped with Red Hat Software Collections. Red Hat Product Security has rated this issue as having Mod
Debian
CVE-2017-0902: rubygems - RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerabili...
vendor_debian·2017·CVSS 8.1
CVE-2017-0902 [HIGH] CVE-2017-0902: rubygems - RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerabili...
RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.
Scope: local
bookworm: resolved (fixed in 3.2.0~rc.1-1)
bullseye: resolved (fixed in 3.2.0~rc.1-1)
forky: resolved (fixed in 3.2.0~rc.1-1)
sid: resolved (fixed in 3.2.0~rc.1-1)
trixie: resolved (fixed in 3.2.0~rc.1-1)
No detection rules found.
No public exploits indexed.
HackerOne
Request Hijacking Vulnerability in RubyGems 2.6.13 and earlier
hackerone·2018-12-08·CVSS 8.1
CVE-2017-0902 [HIGH] Request Hijacking Vulnerability in RubyGems 2.6.13 and earlier
Request Hijacking Vulnerability in RubyGems 2.6.13 and earlier
We received this report via security@ from [email protected], I'm filing here for tracking and visibility purposes...
"I was looking at commit 8d91516fb7037ecfb27622f605dc40245e0f8d32, which
was the fix for the DNS hijacking issue CVE-2017-0902. The function
still handles the DNS response in a potentially unsafe way. I did not
find any actual vulnerabilities in the current code; the code that uses
the result of api_endpoint (perhaps coincidentally) discards the
potentially malicious components of the URI that api_endpoint returns.
But future code may be vulnerable. I'm sending this to the security list
because my checks for vulnerability may be incomplete.
The problem is that api_endpoint allows the DNS SRV response to c
Bugzilla
CVE-2017-0899 CVE-2017-0900 CVE-2017-0901 CVE-2017-0902 rubygems: various flaws [fedora-all]
bugzilla·2017-09-01·CVSS 9.8
CVE-2017-0899 [CRITICAL] CVE-2017-0899 CVE-2017-0900 CVE-2017-0901 CVE-2017-0902 rubygems: various flaws [fedora-all]
CVE-2017-0899 CVE-2017-0900 CVE-2017-0901 CVE-2017-0902 rubygems: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple sup
Bugzilla
CVE-2017-0902 rubygems: DNS hijacking vulnerability
bugzilla·2017-09-01·CVSS 8.1
CVE-2017-0902 [HIGH] CVE-2017-0902 rubygems: DNS hijacking vulnerability
CVE-2017-0902 rubygems: DNS hijacking vulnerability
RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking
vulnerability that allows a MITM attacker to force the RubyGems client
to download and install gems from a server that the attacker controls.
Upstream patches:
https://github.com/rubygems/rubygems/commit/8d91516fb7037ecfb27622f605dc40245e0f8d32
Bug report:
https://hackerone.com/reports/218088
External References:
http://blog.rubygems.org/2017/08/27/2.6.13-released.html
Discussion:
Created ruby193-rubygems tracking bugs for this issue:
Affects: openshift-1 [bug 1487592]
Created rubygems tracking bugs for this issue:
Affects: fedora-all [bug 1487591]
Affects: openshift-1 [bug 1487593]
---
This issue has been addressed in the following products:
Red Hat Soft
http://blog.rubygems.org/2017/08/27/2.6.13-released.htmlhttp://www.securityfocus.com/bid/100586http://www.securitytracker.com/id/1039249https://access.redhat.com/errata/RHSA-2017:3485https://access.redhat.com/errata/RHSA-2018:0378https://access.redhat.com/errata/RHSA-2018:0583https://access.redhat.com/errata/RHSA-2018:0585https://github.com/rubygems/rubygems/commit/8d91516fb7037ecfb27622f605dc40245e0f8d32https://hackerone.com/reports/218088https://lists.debian.org/debian-lts-announce/2018/07/msg00012.htmlhttps://security.gentoo.org/glsa/201710-01https://usn.ubuntu.com/3553-1/https://usn.ubuntu.com/3685-1/https://www.debian.org/security/2017/dsa-3966http://blog.rubygems.org/2017/08/27/2.6.13-released.htmlhttp://www.securityfocus.com/bid/100586http://www.securitytracker.com/id/1039249https://access.redhat.com/errata/RHSA-2017:3485https://access.redhat.com/errata/RHSA-2018:0378https://access.redhat.com/errata/RHSA-2018:0583https://access.redhat.com/errata/RHSA-2018:0585https://github.com/rubygems/rubygems/commit/8d91516fb7037ecfb27622f605dc40245e0f8d32https://hackerone.com/reports/218088https://lists.debian.org/debian-lts-announce/2018/07/msg00012.htmlhttps://security.gentoo.org/glsa/201710-01https://usn.ubuntu.com/3553-1/https://usn.ubuntu.com/3685-1/https://www.debian.org/security/2017/dsa-3966
2017-08-31
Published