Search for vulnerabilities
Vulnerability details: VCID-j53m-puxj-gbfb
Vulnerability ID VCID-j53m-puxj-gbfb
Aliases CVE-2018-1000073
GHSA-gx69-6cp4-hxrj
Summary RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (5)
CWE-59 Improper Link Resolution Before File Access ('Link Following')
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-352 Cross-Site Request Forgery (CSRF)
System Score Found at
cvssv3.1 7.5 http://blog.rubygems.org/2018/02/15/2.7.6-released.html
generic_textual HIGH http://blog.rubygems.org/2018/02/15/2.7.6-released.html
cvssv3.1 7.5 http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
generic_textual HIGH http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
cvssv3.1 7.5 https://access.redhat.com/errata/RHSA-2018:3729
generic_textual HIGH https://access.redhat.com/errata/RHSA-2018:3729
cvssv3.1 7.5 https://access.redhat.com/errata/RHSA-2018:3730
generic_textual HIGH https://access.redhat.com/errata/RHSA-2018:3730
cvssv3.1 7.5 https://access.redhat.com/errata/RHSA-2018:3731
generic_textual HIGH https://access.redhat.com/errata/RHSA-2018:3731
cvssv3.1 7.5 https://access.redhat.com/errata/RHSA-2019:2028
generic_textual HIGH https://access.redhat.com/errata/RHSA-2019:2028
cvssv3.1 7.5 https://access.redhat.com/errata/RHSA-2020:0542
generic_textual HIGH https://access.redhat.com/errata/RHSA-2020:0542
cvssv3.1 7.5 https://access.redhat.com/errata/RHSA-2020:0591
generic_textual HIGH https://access.redhat.com/errata/RHSA-2020:0591
cvssv3.1 7.5 https://access.redhat.com/errata/RHSA-2020:0663
generic_textual HIGH https://access.redhat.com/errata/RHSA-2020:0663
cvssv3 5.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1000073.json
epss 0.01344 https://api.first.org/data/v1/epss?cve=CVE-2018-1000073
epss 0.01344 https://api.first.org/data/v1/epss?cve=CVE-2018-1000073
epss 0.01344 https://api.first.org/data/v1/epss?cve=CVE-2018-1000073
epss 0.01344 https://api.first.org/data/v1/epss?cve=CVE-2018-1000073
epss 0.01344 https://api.first.org/data/v1/epss?cve=CVE-2018-1000073
epss 0.01344 https://api.first.org/data/v1/epss?cve=CVE-2018-1000073
epss 0.01344 https://api.first.org/data/v1/epss?cve=CVE-2018-1000073
epss 0.01344 https://api.first.org/data/v1/epss?cve=CVE-2018-1000073
epss 0.01344 https://api.first.org/data/v1/epss?cve=CVE-2018-1000073
cvssv3.1 7.5 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925986
generic_textual HIGH https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925986
cvssv3 5.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-gx69-6cp4-hxrj
cvssv3.1 7.5 https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7
generic_textual HIGH https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7
cvssv3.1 7.5 https://github.com/rubygems/rubygems
generic_textual HIGH https://github.com/rubygems/rubygems
cvssv3 7.5 https://github.com/rubygems/rubygems/commit/1b931fc03b819b9a0214be3eaca844ef534175e2
cvssv3.1 7.5 https://github.com/rubygems/rubygems/commit/1b931fc03b819b9a0214be3eaca844ef534175e2
generic_textual HIGH https://github.com/rubygems/rubygems/commit/1b931fc03b819b9a0214be3eaca844ef534175e2
cvssv3.1 7.5 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubygems-update/CVE-2018-1000073.yml
generic_textual HIGH https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubygems-update/CVE-2018-1000073.yml
cvssv3.1 7.5 https://lists.debian.org/debian-lts-announce/2018/08/msg00028.html
generic_textual HIGH https://lists.debian.org/debian-lts-announce/2018/08/msg00028.html
cvssv2 5.0 https://nvd.nist.gov/vuln/detail/CVE-2018-1000073
cvssv3 7.5 https://nvd.nist.gov/vuln/detail/CVE-2018-1000073
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2018-1000073
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2018-1000073
cvssv3.1 7.5 https://usn.ubuntu.com/3621-1
generic_textual HIGH https://usn.ubuntu.com/3621-1
cvssv3.1 7.5 https://www.debian.org/security/2018/dsa-4219
generic_textual HIGH https://www.debian.org/security/2018/dsa-4219
cvssv3.1 7.5 https://www.debian.org/security/2018/dsa-4259
generic_textual HIGH https://www.debian.org/security/2018/dsa-4259
Reference id Reference type URL
http://blog.rubygems.org/2018/02/15/2.7.6-released.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
https://access.redhat.com/errata/RHSA-2018:3729
https://access.redhat.com/errata/RHSA-2018:3730
https://access.redhat.com/errata/RHSA-2018:3731
https://access.redhat.com/errata/RHSA-2019:2028
https://access.redhat.com/errata/RHSA-2020:0542
https://access.redhat.com/errata/RHSA-2020:0591
https://access.redhat.com/errata/RHSA-2020:0663
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1000073.json
https://api.first.org/data/v1/epss?cve=CVE-2018-1000073
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925986
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17405
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17742
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17790
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000073
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000074
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000075
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000076
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000077
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000078
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000079
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6914
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8777
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8778
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8779
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8780
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7
https://github.com/rubygems/rubygems
https://github.com/rubygems/rubygems/commit/1b931fc03b819b9a0214be3eaca844ef534175e2
https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubygems-update/CVE-2018-1000073.yml
https://lists.debian.org/debian-lts-announce/2018/08/msg00028.html
https://nvd.nist.gov/vuln/detail/CVE-2018-1000073
https://usn.ubuntu.com/3621-1
https://www.debian.org/security/2018/dsa-4219
https://www.debian.org/security/2018/dsa-4259
1547418 https://bugzilla.redhat.com/show_bug.cgi?id=1547418
cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*
GHSA-gx69-6cp4-hxrj https://github.com/advisories/GHSA-gx69-6cp4-hxrj
USN-3621-1 https://usn.ubuntu.com/3621-1/
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://blog.rubygems.org/2018/02/15/2.7.6-released.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2018:3729
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2018:3730
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2018:3731
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2019:2028
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2020:0542
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2020:0591
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2020:0663
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1000073.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925986
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/rubygems/rubygems
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/rubygems/rubygems/commit/1b931fc03b819b9a0214be3eaca844ef534175e2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubygems-update/CVE-2018-1000073.yml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://lists.debian.org/debian-lts-announce/2018/08/msg00028.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2018-1000073
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2018-1000073
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2018-1000073
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://usn.ubuntu.com/3621-1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://www.debian.org/security/2018/dsa-4219
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://www.debian.org/security/2018/dsa-4259
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.79097
EPSS Score 0.01344
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:16:42.665130+00:00 Ubuntu USN Importer Import https://usn.ubuntu.com/3621-1/ 36.1.3