Search for packages
| purl | pkg:gem/rubygems-update@2.5.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-b36p-re17-n7dq
Aliases: CVE-2017-0900 GHSA-p7f2-rr42-m9xm |
Improper Input Validation RubyGems is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command. |
Affected by 6 other vulnerabilities. |
|
VCID-cde2-rv4n-tkau
Aliases: CVE-2017-0903 GHSA-mqwr-4qf2-2hcv |
Deserialization of Untrusted Data rubygems-update is vulnerable to a remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution. |
Affected by 5 other vulnerabilities. |
|
VCID-jmzh-89dm-r7g2
Aliases: CVE-2017-0902 GHSA-73w7-6w9g-gc8w |
Origin Validation Error RubyGems is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls. |
Affected by 6 other vulnerabilities. |
|
VCID-xgsa-5umz-qffr
Aliases: CVE-2017-0899 GHSA-7gcp-2gmq-w3xh |
Code Injection RubyGems is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences. |
Affected by 6 other vulnerabilities. |
|
VCID-xz68-vwz2-2ke4
Aliases: CVE-2017-0901 GHSA-pm9x-4392-2c2p |
Improper Input Validation RubyGems fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem. |
Affected by 6 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-8d7n-bfhu-dkfd | Loop with Unreachable Exit Condition (Infinite Loop) RubyGems contains an infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop. |
CVE-2018-1000075
GHSA-74pv-v9gh-h25p |
| VCID-8hm4-c4w4-gfen | Cross-site Scripting RubyGems contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appears to be exploitable by the victim browsing to a malicious gem on a vulnerable gem server. |
CVE-2018-1000078
GHSA-87qx-g5wg-mwmj |
| VCID-9t45-d5mf-3uar | Path Traversal RubyGems contains a Directory Traversal vulnerability in gem installation that can result in the gem being able to write to arbitrary filesystem locations during installation. This attack appears to be exploitable by a victim installing a malicious gem. |
CVE-2018-1000079
GHSA-8qxg-mff5-j3wc |
| VCID-af1f-xwwy-jfa8 | RubyGems contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appears to be exploitable when the victim runs the `gem owner` command on a gem with a specially crafted YAML file. |
CVE-2018-1000074
GHSA-qj2w-mw2r-pv39 |
| VCID-mamm-cvdr-subf | RubyGems contains an Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem being able to set an invalid homepage URL. |
CVE-2018-1000077
GHSA-gv86-43rv-79m2 |
| VCID-tq93-h2ag-s3bx | Path Traversal RubyGems contains a Directory Traversal vulnerability in install_location function of `package.rb` that can result in path traversal when writing to a symlinked basedir outside the root. |
CVE-2018-1000073
GHSA-gx69-6cp4-hxrj |
| VCID-w4ns-f42m-pyec | RubyGems contains an Improper Verification of Cryptographic Signature vulnerability in `package.rb` that can result in a mis-signed gem being installed, as the tarball would contain multiple gem signatures. |
CVE-2018-1000076
GHSA-mc6j-h948-v2p6 |