PT-2017-3268 · Ruby+5 · Rubygems+5

Mame

Published

2017-08-31

Updated

2022-05-13

CVE-2017-0901

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions RubyGems versions 2.6.12 and earlier

Description The issue exists due to insufficient input validation in the package manager. Exploitation of this issue may allow a remote attacker to overwrite any file on the filesystem. A maliciously crafted gem can potentially be used to achieve this.

Recommendations For RubyGems versions 2.6.12 and earlier, consider updating to a version that fixes the specification name validation issue to prevent potential file overwrites. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

RCE

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-22

Related Identifiers

ALT-PU-2017-2195

BDU:2018-00026

CESA-2018_0378

CVE-2017-0901

DLA-1112-1

DLA-1114-1

DLA-1421-1

DSA-3966-1

GHSA-PM9X-4392-2C2P

MGASA-2017-0482

RHSA-2017:3485

RHSA-2018:0378

RHSA-2018:0583

RHSA-2018:0585

RHSA-2018_0378

SUSE-SU-2020:1570-1

SUSE-SU-2020_1570-1

USN-3439-1

USN-3553-1

USN-3685-1

Affected Products

Alt Linux

Centos

Red Hat

Rubygems

Suse

Ubuntu

PT-2017-3268 · Ruby+5 · Rubygems+5

CVE-2017-0901

Weakness Enumeration

Related Identifiers

Affected Products

References · 139