{"url":"http://public2.vulnerablecode.io/api/packages/54035?format=json","purl":"pkg:gem/rubygems-update@2.6.12","type":"gem","namespace":"","name":"rubygems-update","version":"2.6.12","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.6.14","latest_non_vulnerable_version":"3.0.3","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38790?format=json","vulnerability_id":"VCID-68hc-d8u1-yye5","summary":"Improper Input Validation\nRubyGems is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command.","references":[{"reference_url":"http://blog.rubygems.org/2017/08/27/2.6.13-released.html","reference_id":"","reference_type":"","scores":[],"url":"http://blog.rubygems.org/2017/08/27/2.6.13-released.html"},{"reference_url":"http://www.securityfocus.com/bid/100579","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/100579"},{"reference_url":"http://www.securitytracker.com/id/1039249","reference_id":"","reference_type":"","scores":[],"url":"http://www.securitytracker.com/id/1039249"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-0900","reference_id":"CVE-2017-0900","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-0900"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54036?format=json","purl":"pkg:gem/rubygems-update@2.6.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7rs-vbjr-nyfz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rubygems-update@2.6.13"}],"aliases":["CVE-2017-0900"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-68hc-d8u1-yye5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38792?format=json","vulnerability_id":"VCID-bb6n-nq7v-8qex","summary":"Improper Input Validation\nRubyGems fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.","references":[{"reference_url":"http://blog.rubygems.org/2017/08/27/2.6.13-released.html","reference_id":"","reference_type":"","scores":[],"url":"http://blog.rubygems.org/2017/08/27/2.6.13-released.html"},{"reference_url":"https://www.exploit-db.com/exploits/42611/","reference_id":"","reference_type":"","scores":[],"url":"https://www.exploit-db.com/exploits/42611/"},{"reference_url":"http://www.securityfocus.com/bid/100580","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/100580"},{"reference_url":"http://www.securitytracker.com/id/1039249","reference_id":"","reference_type":"","scores":[],"url":"http://www.securitytracker.com/id/1039249"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-0901","reference_id":"CVE-2017-0901","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-0901"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54036?format=json","purl":"pkg:gem/rubygems-update@2.6.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7rs-vbjr-nyfz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rubygems-update@2.6.13"}],"aliases":["CVE-2017-0901"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bb6n-nq7v-8qex"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38789?format=json","vulnerability_id":"VCID-br82-gd5d-pqew","summary":"Origin Validation Error\nRubyGems is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.","references":[{"reference_url":"http://blog.rubygems.org/2017/08/27/2.6.13-released.html","reference_id":"","reference_type":"","scores":[],"url":"http://blog.rubygems.org/2017/08/27/2.6.13-released.html"},{"reference_url":"https://hackerone.com/reports/218088","reference_id":"","reference_type":"","scores":[],"url":"https://hackerone.com/reports/218088"},{"reference_url":"http://www.securityfocus.com/bid/100586","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/100586"},{"reference_url":"http://www.securitytracker.com/id/1039249","reference_id":"","reference_type":"","scores":[],"url":"http://www.securitytracker.com/id/1039249"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-0902","reference_id":"CVE-2017-0902","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-0902"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54036?format=json","purl":"pkg:gem/rubygems-update@2.6.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7rs-vbjr-nyfz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rubygems-update@2.6.13"}],"aliases":["CVE-2017-0902"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-br82-gd5d-pqew"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38793?format=json","vulnerability_id":"VCID-nd17-pxzx-nyba","summary":"Code Injection\nRubyGems is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.","references":[{"reference_url":"http://blog.rubygems.org/2017/08/27/2.6.13-released.html","reference_id":"","reference_type":"","scores":[],"url":"http://blog.rubygems.org/2017/08/27/2.6.13-released.html"},{"reference_url":"http://www.securityfocus.com/bid/100576","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/100576"},{"reference_url":"http://www.securitytracker.com/id/1039249","reference_id":"","reference_type":"","scores":[],"url":"http://www.securitytracker.com/id/1039249"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-0899","reference_id":"CVE-2017-0899","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-0899"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54036?format=json","purl":"pkg:gem/rubygems-update@2.6.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7rs-vbjr-nyfz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rubygems-update@2.6.13"}],"aliases":["CVE-2017-0899"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nd17-pxzx-nyba"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rubygems-update@2.6.12"}