Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:gem/rubygems-update@2.6.13

Type gem

Namespace

Name rubygems-update

Version 2.6.13

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 2.6.14

Latest_non_vulnerable_version 3.0.3

Affected_by_vulnerabilities

url VCID-c7rs-vbjr-nyfz

vulnerability_id VCID-c7rs-vbjr-nyfz

summary

Deserialization of Untrusted Data
rubygems-update is vulnerable to a remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.

references

reference_url	http://blog.rubygems.org/2017/10/09/2.6.14-released.html
reference_id
reference_type
scores
url	http://blog.rubygems.org/2017/10/09/2.6.14-released.html

reference_url	http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
reference_id
reference_type
scores
url	http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html

reference_url	http://www.securityfocus.com/bid/101275
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/101275

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2017-0903
reference_id	CVE-2017-0903
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2017-0903

fixed_packages

url	pkg:gem/rubygems-update@2.6.14
purl	pkg:gem/rubygems-update@2.6.14
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:gem/rubygems-update@2.6.14

aliases CVE-2017-0903

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-c7rs-vbjr-nyfz

Fixing_vulnerabilities

url VCID-68hc-d8u1-yye5

vulnerability_id VCID-68hc-d8u1-yye5

summary

Improper Input Validation
RubyGems is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command.

references

reference_url	http://blog.rubygems.org/2017/08/27/2.6.13-released.html
reference_id
reference_type
scores
url	http://blog.rubygems.org/2017/08/27/2.6.13-released.html

reference_url	http://www.securityfocus.com/bid/100579
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/100579

reference_url	http://www.securitytracker.com/id/1039249
reference_id
reference_type
scores
url	http://www.securitytracker.com/id/1039249

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2017-0900
reference_id	CVE-2017-0900
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2017-0900

fixed_packages

url pkg:gem/rubygems-update@2.6.13

purl pkg:gem/rubygems-update@2.6.13

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-c7rs-vbjr-nyfz

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rubygems-update@2.6.13

aliases CVE-2017-0900

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-68hc-d8u1-yye5

url VCID-bb6n-nq7v-8qex

vulnerability_id VCID-bb6n-nq7v-8qex

summary

Improper Input Validation
RubyGems fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.

references

reference_url	http://blog.rubygems.org/2017/08/27/2.6.13-released.html
reference_id
reference_type
scores
url	http://blog.rubygems.org/2017/08/27/2.6.13-released.html

reference_url	https://www.exploit-db.com/exploits/42611/
reference_id
reference_type
scores
url	https://www.exploit-db.com/exploits/42611/

reference_url	http://www.securityfocus.com/bid/100580
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/100580

reference_url	http://www.securitytracker.com/id/1039249
reference_id
reference_type
scores
url	http://www.securitytracker.com/id/1039249

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2017-0901
reference_id	CVE-2017-0901
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2017-0901

fixed_packages

url pkg:gem/rubygems-update@2.6.13

purl pkg:gem/rubygems-update@2.6.13

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-c7rs-vbjr-nyfz

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rubygems-update@2.6.13

aliases CVE-2017-0901

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bb6n-nq7v-8qex

url VCID-br82-gd5d-pqew

vulnerability_id VCID-br82-gd5d-pqew

summary

Origin Validation Error
RubyGems is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.

references

reference_url	http://blog.rubygems.org/2017/08/27/2.6.13-released.html
reference_id
reference_type
scores
url	http://blog.rubygems.org/2017/08/27/2.6.13-released.html

reference_url	https://hackerone.com/reports/218088
reference_id
reference_type
scores
url	https://hackerone.com/reports/218088

reference_url	http://www.securityfocus.com/bid/100586
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/100586

reference_url	http://www.securitytracker.com/id/1039249
reference_id
reference_type
scores
url	http://www.securitytracker.com/id/1039249

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2017-0902
reference_id	CVE-2017-0902
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2017-0902

fixed_packages

url pkg:gem/rubygems-update@2.6.13

purl pkg:gem/rubygems-update@2.6.13

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-c7rs-vbjr-nyfz

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rubygems-update@2.6.13

aliases CVE-2017-0902

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-br82-gd5d-pqew

url VCID-nd17-pxzx-nyba

vulnerability_id VCID-nd17-pxzx-nyba

summary

Code Injection
RubyGems is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.

references

reference_url	http://blog.rubygems.org/2017/08/27/2.6.13-released.html
reference_id
reference_type
scores
url	http://blog.rubygems.org/2017/08/27/2.6.13-released.html

reference_url	http://www.securityfocus.com/bid/100576
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/100576

reference_url	http://www.securitytracker.com/id/1039249
reference_id
reference_type
scores
url	http://www.securitytracker.com/id/1039249

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2017-0899
reference_id	CVE-2017-0899
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2017-0899

fixed_packages

url pkg:gem/rubygems-update@2.6.13

purl pkg:gem/rubygems-update@2.6.13

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-c7rs-vbjr-nyfz

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rubygems-update@2.6.13

aliases CVE-2017-0899

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nd17-pxzx-nyba

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rubygems-update@2.6.13

Package Instance