ALT-PU-2017-2195-1
Closed vulnerabilities
Published: 2017-08-31
BDU:2018-00026
Уязвимость менеджера пакетов rubygems, существующая из-за недостаточной проверки входных данных, позволяющая нарушителю осуществить перезапись любого файла
Severity: HIGH (7.5)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
References:
Published: 2017-06-12
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2015-9096
Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.
Severity: MEDIUM (6.1)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References:
- http://www.mbsd.jp/Whitepaper/smtpi.pdf
- http://www.mbsd.jp/Whitepaper/smtpi.pdf
- https://github.com/ruby/ruby/commit/0827a7e52ba3d957a634b063bf5a391239b9ffee
- https://github.com/ruby/ruby/commit/0827a7e52ba3d957a634b063bf5a391239b9ffee
- https://github.com/rubysec/ruby-advisory-db/issues/215
- https://github.com/rubysec/ruby-advisory-db/issues/215
- https://hackerone.com/reports/137631
- https://hackerone.com/reports/137631
- [debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update
- [debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update
- DSA-3966
- DSA-3966
Published: 2017-08-31
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2017-0899
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.
Severity: CRITICAL (9.8)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- http://blog.rubygems.org/2017/08/27/2.6.13-released.html
- http://blog.rubygems.org/2017/08/27/2.6.13-released.html
- 100576
- 100576
- 1039249
- 1039249
- RHSA-2017:3485
- RHSA-2017:3485
- RHSA-2018:0378
- RHSA-2018:0378
- RHSA-2018:0583
- RHSA-2018:0583
- RHSA-2018:0585
- RHSA-2018:0585
- https://github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1
- https://github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1
- https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491
- https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491
- https://hackerone.com/reports/226335
- https://hackerone.com/reports/226335
- [debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update
- [debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update
- GLSA-201710-01
- GLSA-201710-01
- DSA-3966
- DSA-3966
Published: 2017-08-31
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2017-0900
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command.
Severity: HIGH (7.5)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
- http://blog.rubygems.org/2017/08/27/2.6.13-released.html
- http://blog.rubygems.org/2017/08/27/2.6.13-released.html
- 100579
- 100579
- 1039249
- 1039249
- RHSA-2017:3485
- RHSA-2017:3485
- RHSA-2018:0378
- RHSA-2018:0378
- RHSA-2018:0583
- RHSA-2018:0583
- RHSA-2018:0585
- RHSA-2018:0585
- https://github.com/rubygems/rubygems/commit/8a38a4fc24c6591e6c8f43d1fadab6efeb4d6251
- https://github.com/rubygems/rubygems/commit/8a38a4fc24c6591e6c8f43d1fadab6efeb4d6251
- https://hackerone.com/reports/243003
- https://hackerone.com/reports/243003
- [debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update
- [debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update
- GLSA-201710-01
- GLSA-201710-01
- DSA-3966
- DSA-3966
Published: 2017-08-31
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2017-0901
RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.
Severity: HIGH (7.5)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
References:
- http://blog.rubygems.org/2017/08/27/2.6.13-released.html
- http://blog.rubygems.org/2017/08/27/2.6.13-released.html
- 100580
- 100580
- 1039249
- 1039249
- RHSA-2017:3485
- RHSA-2017:3485
- RHSA-2018:0378
- RHSA-2018:0378
- RHSA-2018:0583
- RHSA-2018:0583
- RHSA-2018:0585
- RHSA-2018:0585
- https://github.com/rubygems/rubygems/commit/ad5c0a53a86ca5b218c7976765c0365b91d22cb2
- https://github.com/rubygems/rubygems/commit/ad5c0a53a86ca5b218c7976765c0365b91d22cb2
- https://hackerone.com/reports/243156
- https://hackerone.com/reports/243156
- [debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update
- [debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update
- GLSA-201710-01
- GLSA-201710-01
- USN-3553-1
- USN-3553-1
- USN-3685-1
- USN-3685-1
- DSA-3966
- DSA-3966
- 42611
- 42611
Published: 2017-08-31
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2017-0902
RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.
Severity: HIGH (8.1)
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- http://blog.rubygems.org/2017/08/27/2.6.13-released.html
- http://blog.rubygems.org/2017/08/27/2.6.13-released.html
- 100586
- 100586
- 1039249
- 1039249
- RHSA-2017:3485
- RHSA-2017:3485
- RHSA-2018:0378
- RHSA-2018:0378
- RHSA-2018:0583
- RHSA-2018:0583
- RHSA-2018:0585
- RHSA-2018:0585
- https://github.com/rubygems/rubygems/commit/8d91516fb7037ecfb27622f605dc40245e0f8d32
- https://github.com/rubygems/rubygems/commit/8d91516fb7037ecfb27622f605dc40245e0f8d32
- https://hackerone.com/reports/218088
- https://hackerone.com/reports/218088
- [debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update
- [debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update
- GLSA-201710-01
- GLSA-201710-01
- USN-3553-1
- USN-3553-1
- USN-3685-1
- USN-3685-1
- DSA-3966
- DSA-3966