CVE-2018-1000074

Name of the Vulnerable Software and Affected Versions RubyGems versions 2.2.9 and earlier RubyGems versions 2.3.6 and earlier RubyGems versions 2.4.3 and earlier RubyGems versions 2.5.0 and earlier RubyGems prior to trunk revision 62422

Description The issue is related to the deserialization of untrusted data in the owner command of the RubyGems package management system. This can be exploited by an attacker to execute arbitrary code using a specially crafted YAML file. The attack requires the victim to run the gem owner command on a gem with the malicious YAML file.

Recommendations For RubyGems versions 2.2.9 and earlier, update to a version later than 2.7.6. For RubyGems versions 2.3.6 and earlier, update to a version later than 2.7.6. For RubyGems versions 2.4.3 and earlier, update to a version later than 2.7.6. For RubyGems versions 2.5.0 and earlier, update to a version later than 2.7.6. For RubyGems prior to trunk revision 62422, update to a version later than 2.7.6. As a temporary workaround, consider avoiding the use of the gem owner command on untrusted gems until the issue is resolved.