PT-2018-1153 · Ruby+4 · Rubygems+4

David Fifield

+1

·

Publicado

2018-02-15

·

Atualizado

2022-05-14

·

CVE-2018-1000076

CVSS v3.1

9.8

Crítica

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions RubyGems versions 2.2.9 and earlier RubyGems versions 2.3.6 and earlier RubyGems versions 2.4.3 and earlier RubyGems versions 2.5.0 and earlier RubyGems prior to trunk revision 62422
Description The issue is related to an Improper Verification of Cryptographic Signature vulnerability in package.rb, which can result in a mis-signed gem being installed. This occurs because the tarball would contain multiple gem signatures. The vulnerability can be exploited by a remote attacker to execute arbitrary code.
Recommendations For RubyGems versions 2.2.9 and earlier, update to a version newer than 2.7.6. For RubyGems versions 2.3.6 and earlier, update to a version newer than 2.7.6. For RubyGems versions 2.4.3 and earlier, update to a version newer than 2.7.6. For RubyGems versions 2.5.0 and earlier, update to a version newer than 2.7.6. For RubyGems prior to trunk revision 62422, update to a version newer than 2.7.6.

Exploit

Correção

Improper Verification of Cryptographic Signature

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-347CWE-374

Identificadores relacionados

BDU:2018-00591
CESA-2019_2028
CVE-2018-1000076
DLA-1336-1
DLA-1337-1
DLA-1358-1
DLA-1421-1
DLA-1796-1
DSA-4219-1
DSA-4259-1
GHSA-MC6J-H948-V2P6
MGASA-2019-0062
MGASA-2020-0243
OPENSUSE-SU-2019:1771-1
OPENSUSE-SU-2019_1771-1
RHSA-2018:3729
RHSA-2018:3730
RHSA-2018:3731
RHSA-2019:2028
RHSA-2019_2028
RHSA-2020:0542
RHSA-2020:0591
RHSA-2020:0663
SUSE-SU-2019:1804-1
SUSE-SU-2020:1570-1
SUSE-SU-2020_1570-1
USN-3621-1

Produtos afetados

Centos
Red Hat
Rubygems
Suse
Ubuntu