PT-2018-1980 · Ruby+4 · Rubygems+4

David Fifield

Published

2018-03-13

Updated

2022-05-14

CVE-2018-1000077

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions RubyGems versions 2.2.9 and earlier RubyGems versions 2.3.6 and earlier RubyGems versions 2.4.3 and earlier RubyGems versions 2.5.0 and earlier RubyGems prior to trunk revision 62422

Description The issue is related to improper input validation in the RubyGems specification homepage attribute, which can result in a malicious gem setting an invalid homepage URL. This can lead to incorrect URL formation due to the improper handling of HTTP/FTP request parameters. Exploitation of this issue may allow a remote attacker to compromise data integrity.

Recommendations For RubyGems versions 2.2.9 and earlier, update to a version later than 2.7.6. For RubyGems versions 2.3.6 and earlier, update to a version later than 2.7.6. For RubyGems versions 2.4.3 and earlier, update to a version later than 2.7.6. For RubyGems versions 2.5.0 and earlier, update to a version later than 2.7.6. For RubyGems prior to trunk revision 62422, update to a version later than 2.7.6.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

BDU:2018-01596

CESA-2019_2028

CVE-2018-1000077

DLA-1336-1

DLA-1337-1

DLA-1358-1

DLA-1421-1

DLA-1796-1

DSA-4219-1

DSA-4259-1

GHSA-GV86-43RV-79M2

MGASA-2019-0062

MGASA-2020-0243

OPENSUSE-SU-2019:1771-1

OPENSUSE-SU-2019_1771-1

RHSA-2018:3729

RHSA-2018:3730

RHSA-2018:3731

RHSA-2019:2028

RHSA-2019_2028

RHSA-2020:0542

RHSA-2020:0591

RHSA-2020:0663

SUSE-SU-2019:1804-1

SUSE-SU-2020:1570-1

SUSE-SU-2020_1570-1

USN-3621-1

Affected Products

Centos

Red Hat

Rubygems

Suse

Ubuntu

PT-2018-1980 · Ruby+4 · Rubygems+4

CVE-2018-1000077

Weakness Enumeration

Related Identifiers

Affected Products

References · 143