CVE-2017-0903
published 2017-10-11CVE-2017-0903: RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can…
critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
Affected
88 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | rubygems | < rubygems 3.2.0~rc.1-1 (bookworm) | rubygems 3.2.0~rc.1-1 (bookworm) |
| hackerone | rubygems | — | — |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_server_aus | — | — |
| redhat | enterprise_linux_server_aus | — | — |
| redhat | enterprise_linux_server_eus | — | — |
| redhat | enterprise_linux_server_eus | — | — |
| redhat | enterprise_linux_server_eus | — | — |
| redhat | enterprise_linux_server_tus | — | — |
| redhat | enterprise_linux_server_tus | — | — |
| redhat | enterprise_linux_workstation | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
GHSA
RubyGems vulnerable to Deserialization of Untrusted Data
ghsa·2022-05-13
CVE-2017-0903 [CRITICAL] CWE-502 RubyGems vulnerable to Deserialization of Untrusted Data
RubyGems vulnerable to Deserialization of Untrusted Data
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution. The issue has been patched in 2.6.14.
OSV
RubyGems vulnerable to Deserialization of Untrusted Data
osv·2022-05-13
CVE-2017-0903 [CRITICAL] RubyGems vulnerable to Deserialization of Untrusted Data
RubyGems vulnerable to Deserialization of Untrusted Data
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution. The issue has been patched in 2.6.14.
OSV
ruby2.0 regression
osv·2021-03-25·CVSS 9.1
CVE-2017-0903 [CRITICAL] ruby2.0 regression
ruby2.0 regression
USN-3685-1 fixed a vulnerability in Ruby. The fix for CVE-2017-0903 introduced
a regression in Ruby. This update fixes the problem.
Original advisory details:
Some of these CVE were already addressed in previous
USN: 3439-1, 3553-1, 3528-1. Here we address for
the remain releases.
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to cause a buffer overrun. (CVE-2017-0898)
It was discovered that Ruby incorrectly handled certain files.
An attacker could use this to overwrite any file on the filesystem.
(CVE-2017-0901)
It was discovered that Ruby was vulnerable to a DNS hijacking vulnerability.
An attacker could use this to possibly force the RubyGems client to download
and install gems from a server that the attacker controls.
OSV
ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities
osv·2018-06-13·CVSS 9.1
CVE-2017-0898 [CRITICAL] ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities
ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities
Some of these CVE were already addressed in previous
USN: 3439-1, 3553-1, 3528-1. Here we address for
the remain releases.
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to cause a buffer overrun. (CVE-2017-0898)
It was discovered that Ruby incorrectly handled certain files.
An attacker could use this to overwrite any file on the filesystem.
(CVE-2017-0901)
It was discovered that Ruby was vulnerable to a DNS hijacking vulnerability.
An attacker could use this to possibly force the RubyGems client to download
and install gems from a server that the attacker controls. (CVE-2017-0902)
It was discovered that Ruby incorrectly handled certain YAML files.
An attacker could use this to possibly execute arb
OSV
ruby2.3 vulnerabilities
osv·2018-01-31·CVSS 7.5
CVE-2017-0901 [HIGH] ruby2.3 vulnerabilities
ruby2.3 vulnerabilities
It was discovered that Ruby failed to validate specification names.
An attacker could possibly use a maliciously crafted gem to potentially
overwrite any file on the filesystem. (CVE-2017-0901)
It was discovered that Ruby was vulnerable to a DNS hijacking vulnerability.
An attacker could use this to possibly force the RubyGems client to download
and install gems from a server that the attacker controls. (CVE-2017-0902)
It was discovered that Ruby incorrectly handled certain YAML files. An attacker could
use this to possibly execute arbitrary code. (CVE-2017-0903)
OSV
CVE-2017-0903: RubyGems versions between 2
osv·2017-10-11·CVSS 9.8
CVE-2017-0903 [CRITICAL] CVE-2017-0903: RubyGems versions between 2
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
Ubuntu
Ruby regression
vendor_ubuntu·2021-03-25·CVSS 9.1
CVE-2017-0903 [CRITICAL] Ruby regression
Title: Ruby regression
Summary: USN-3685-1 introduced a regression in Ruby.
USN-3685-1 fixed a vulnerability in Ruby. The fix for CVE-2017-0903 introduced
a regression in Ruby. This update fixes the problem.
Original advisory details:
Some of these CVE were already addressed in previous
USN: 3439-1, 3553-1, 3528-1. Here we address for
the remain releases.
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to cause a buffer overrun. (CVE-2017-0898)
It was discovered that Ruby incorrectly handled certain files.
An attacker could use this to overwrite any file on the filesystem.
(CVE-2017-0901)
It was discovered that Ruby was vulnerable to a DNS hijacking vulnerability.
An attacker could use this to possibly force the RubyGems client to download
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2018-06-13·CVSS 9.1
CVE-2017-0898 [CRITICAL] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
Some of these CVE were already addressed in previous
USN: 3439-1, 3553-1, 3528-1. Here we address for
the remain releases.
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to cause a buffer overrun. (CVE-2017-0898)
It was discovered that Ruby incorrectly handled certain files.
An attacker could use this to overwrite any file on the filesystem.
(CVE-2017-0901)
It was discovered that Ruby was vulnerable to a DNS hijacking vulnerability.
An attacker could use this to possibly force the RubyGems client to download
and install gems from a server that the attacker controls. (CVE-2017-0902)
It was discovered that Ruby incorrectly handled certain YAML files.
An attacker
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2018-01-31·CVSS 7.5
CVE-2017-0901 [HIGH] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
It was discovered that Ruby failed to validate specification names.
An attacker could possibly use a maliciously crafted gem to potentially
overwrite any file on the filesystem. (CVE-2017-0901)
It was discovered that Ruby was vulnerable to a DNS hijacking vulnerability.
An attacker could use this to possibly force the RubyGems client to download
and install gems from a server that the attacker controls. (CVE-2017-0902)
It was discovered that Ruby incorrectly handled certain YAML files. An attacker could
use this to possibly execute arbitrary code. (CVE-2017-0903)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
rubygems: Unsafe object deserialization through YAML formatted gem specifications
vendor_redhat·2017-10-10·CVSS 9.8
CVE-2017-0903 [CRITICAL] CWE-20 rubygems: Unsafe object deserialization through YAML formatted gem specifications
rubygems: Unsafe object deserialization through YAML formatted gem specifications
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
A vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter.
Statement: This issue did not affect the versions of rubygems as shipped with Red Hat Enterprise Linux 6.
This issue affects the versions of ruby as shipped with Red Hat Ente
Debian
CVE-2017-0903: rubygems - RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote c...
vendor_debian·2017·CVSS 9.8
CVE-2017-0903 [CRITICAL] CVE-2017-0903: rubygems - RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote c...
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
Scope: local
bookworm: resolved (fixed in 3.2.0~rc.1-1)
bullseye: resolved (fixed in 3.2.0~rc.1-1)
forky: resolved (fixed in 3.2.0~rc.1-1)
sid: resolved (fixed in 3.2.0~rc.1-1)
trixie: resolved (fixed in 3.2.0~rc.1-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-0903 ruby: rubygems: Unsafe object deserialization through YAML formatted gem specifications [fedora-all]
bugzilla·2017-10-11·CVSS 9.8
CVE-2017-0903 [CRITICAL] CVE-2017-0903 ruby: rubygems: Unsafe object deserialization through YAML formatted gem specifications [fedora-all]
CVE-2017-0903 ruby: rubygems: Unsafe object deserialization through YAML formatted gem specifications [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issu
Bugzilla
CVE-2017-0903 rubygems: Unsafe object deserialization through YAML formatted gem specifications [fedora-all]
bugzilla·2017-10-10·CVSS 9.8
CVE-2017-0903 [CRITICAL] CVE-2017-0903 rubygems: Unsafe object deserialization through YAML formatted gem specifications [fedora-all]
CVE-2017-0903 rubygems: Unsafe object deserialization through YAML formatted gem specifications [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affe
Bugzilla
CVE-2017-0903 rubygems: Unsafe object deserialization through YAML formatted gem specifications
bugzilla·2017-10-10·CVSS 9.8
CVE-2017-0903 [CRITICAL] CVE-2017-0903 rubygems: Unsafe object deserialization through YAML formatted gem specifications
CVE-2017-0903 rubygems: Unsafe object deserialization through YAML formatted gem specifications
RubyGems version 2.0.0 to 2.6.13 is vulnerable to an unsafe object deserialization through a specially crafted YAML formatted gem specification that could lead to a remote code execution when parsed without safegards. Applications that process Gems on the server are impacted but not if rubygems is only used as a client.
References:
http://www.openwall.com/lists/oss-security/2017/10/10/2
Discussion:
Created ruby193-rubygems tracking bugs for this issue:
Affects: openshift-1 [bug 1500491]
Created rubygems tracking bugs for this issue:
Affects: fedora-all [bug 1500489]
Affects: openshift-1 [bug 1500490]
---
Created ruby tracking bugs for this issue:
Affects: fedora-all [bug 1500654]
--
http://blog.rubygems.org/2017/10/09/2.6.14-released.htmlhttp://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.htmlhttp://www.securityfocus.com/bid/101275https://access.redhat.com/errata/RHSA-2017:3485https://access.redhat.com/errata/RHSA-2018:0378https://access.redhat.com/errata/RHSA-2018:0583https://access.redhat.com/errata/RHSA-2018:0585https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49https://hackerone.com/reports/274990https://lists.debian.org/debian-lts-announce/2018/07/msg00012.htmlhttps://usn.ubuntu.com/3553-1/https://usn.ubuntu.com/3685-1/https://www.debian.org/security/2017/dsa-4031http://blog.rubygems.org/2017/10/09/2.6.14-released.htmlhttp://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.htmlhttp://www.securityfocus.com/bid/101275https://access.redhat.com/errata/RHSA-2017:3485https://access.redhat.com/errata/RHSA-2018:0378https://access.redhat.com/errata/RHSA-2018:0583https://access.redhat.com/errata/RHSA-2018:0585https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49https://hackerone.com/reports/274990https://lists.debian.org/debian-lts-announce/2018/07/msg00012.htmlhttps://usn.ubuntu.com/3553-1/https://usn.ubuntu.com/3685-1/https://www.debian.org/security/2017/dsa-4031
2017-10-11
Published