CVE-2018-1000079

Name of the Vulnerable Software and Affected Versions RubyGems versions 2.2.9 and earlier RubyGems versions 2.3.6 and earlier RubyGems versions 2.4.3 and earlier RubyGems versions 2.5.0 and earlier RubyGems prior to trunk revision 62422

Description The issue is related to a Directory Traversal vulnerability in gem installation, allowing a gem to write to arbitrary filesystem locations during installation. This can be exploited by installing a malicious gem. The vulnerability appears to be related to errors in restricting the path name to a directory with limited access.

Recommendations For RubyGems versions 2.2.9 and earlier, update to a version newer than 2.7.6. For RubyGems versions 2.3.6 and earlier, update to a version newer than 2.7.6. For RubyGems versions 2.4.3 and earlier, update to a version newer than 2.7.6. For RubyGems versions 2.5.0 and earlier, update to a version newer than 2.7.6. For RubyGems prior to trunk revision 62422, update to a version newer than 2.7.6. As a temporary workaround, consider avoiding the installation of gems from untrusted sources until the issue is resolved.