CVE-2018-1000079 — Path Traversal in Rubygems
Severity
5.5MEDIUMNVD
OSV7.5
EPSS
0.3%
top 45.27%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 13
Latest updateMay 14
Description
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.
CVSS vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 1.8 | Impact: 3.6
Affected Packages5 packages
Patches
🔴Vulnerability Details
5📋Vendor Advisories
4💬Community
3Bugzilla▶
CVE-2018-1000073 CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078 CVE-2018-1000079 rubygems: various flaws [fedora-all]↗2018-02-21
Bugzilla▶
CVE-2018-1000079 rubygems: Path traversal issue during gem installation allows to write to arbitrary filesystem locations↗2018-02-21
Bugzilla▶
CVE-2018-1000073 rubygems: Path traversal when writing to a symlinked basedir outside of the root↗2018-02-21