Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-c7rs-vbjr-nyfz

Summary

Deserialization of Untrusted Data
rubygems-update is vulnerable to a remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.

Aliases

alias	CVE-2017-0903

Fixed_packages

url	pkg:gem/rubygems-update@2.6.14
purl	pkg:gem/rubygems-update@2.6.14
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:gem/rubygems-update@2.6.14

Affected_packages

url pkg:gem/rubygems-update@2.0.0

purl pkg:gem/rubygems-update@2.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-c7rs-vbjr-nyfz

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rubygems-update@2.0.0

url pkg:gem/rubygems-update@2.6.13

purl pkg:gem/rubygems-update@2.6.13

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-c7rs-vbjr-nyfz

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rubygems-update@2.6.13

References

reference_url	http://blog.rubygems.org/2017/10/09/2.6.14-released.html
reference_id
reference_type
scores
url	http://blog.rubygems.org/2017/10/09/2.6.14-released.html

reference_url	http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
reference_id
reference_type
scores
url	http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html

reference_url	http://www.securityfocus.com/bid/101275
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/101275

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2017-0903
reference_id	CVE-2017-0903
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2017-0903

Weaknesses

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

cwe_id	502
name	Deserialization of Untrusted Data
description	The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

Exploits

Severity_range_score null

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-c7rs-vbjr-nyfz

Vulnerability Instance