CVE-2017-0903 — Deserialization of Untrusted Data in Rubygems
Severity
9.8CRITICALNVD
OSV9.1OSV7.5
EPSS
5.5%
top 9.72%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedOct 11
Latest updateMay 13
Description
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages6 packages
Also affects: Debian Linux 8.0, 9.0, Ubuntu Linux 14.04, 16.04, 17.10, Enterprise Linux 7.4, 7.6, 7.5
Patches
🔴Vulnerability Details
7📋Vendor Advisories
5Red Hat
▶
Debian▶
CVE-2017-0903: rubygems - RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote c...↗2017
💬Community
3Bugzilla▶
CVE-2017-0903 ruby: rubygems: Unsafe object deserialization through YAML formatted gem specifications [fedora-all]↗2017-10-11
Bugzilla▶
CVE-2017-0903 rubygems: Unsafe object deserialization through YAML formatted gem specifications [fedora-all]↗2017-10-10
Bugzilla▶
CVE-2017-0903 rubygems: Unsafe object deserialization through YAML formatted gem specifications↗2017-10-10