Search for vulnerabilities
Vulnerability details: VCID-nhny-8weg-7fam
Vulnerability ID VCID-nhny-8weg-7fam
Aliases CVE-2017-0903
GHSA-mqwr-4qf2-2hcv
Summary
Status Published
Exploitability 0.5
Weighted Severity 9.0
Risk 4.5
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-502 Deserialization of Untrusted Data
CWE-20 Improper Input Validation
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 9.8 http://blog.rubygems.org/2017/10/09/2.6.14-released.html
generic_textual CRITICAL http://blog.rubygems.org/2017/10/09/2.6.14-released.html
cvssv3.1 9.8 http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
generic_textual CRITICAL http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
cvssv3.1 9.8 https://access.redhat.com/errata/RHSA-2017:3485
generic_textual CRITICAL https://access.redhat.com/errata/RHSA-2017:3485
cvssv3.1 9.8 https://access.redhat.com/errata/RHSA-2018:0378
generic_textual CRITICAL https://access.redhat.com/errata/RHSA-2018:0378
cvssv3.1 9.8 https://access.redhat.com/errata/RHSA-2018:0583
generic_textual CRITICAL https://access.redhat.com/errata/RHSA-2018:0583
cvssv3.1 9.8 https://access.redhat.com/errata/RHSA-2018:0585
generic_textual CRITICAL https://access.redhat.com/errata/RHSA-2018:0585
cvssv3 5.6 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-0903.json
epss 0.04901 https://api.first.org/data/v1/epss?cve=CVE-2017-0903
epss 0.04901 https://api.first.org/data/v1/epss?cve=CVE-2017-0903
epss 0.04901 https://api.first.org/data/v1/epss?cve=CVE-2017-0903
epss 0.04901 https://api.first.org/data/v1/epss?cve=CVE-2017-0903
epss 0.04901 https://api.first.org/data/v1/epss?cve=CVE-2017-0903
epss 0.04901 https://api.first.org/data/v1/epss?cve=CVE-2017-0903
epss 0.04901 https://api.first.org/data/v1/epss?cve=CVE-2017-0903
epss 0.04901 https://api.first.org/data/v1/epss?cve=CVE-2017-0903
cvssv3 9.8 https://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
cvssv2 6.8 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3 6.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr CRITICAL https://github.com/advisories/GHSA-mqwr-4qf2-2hcv
cvssv3.1 9.8 https://github.com/rubygems/rubygems
generic_textual CRITICAL https://github.com/rubygems/rubygems
cvssv3.1 9.8 https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49
generic_textual CRITICAL https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49
cvssv3.1 9.8 https://hackerone.com/reports/274990
generic_textual CRITICAL https://hackerone.com/reports/274990
cvssv3.1 9.8 https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
generic_textual CRITICAL https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
cvssv3.1 9.8 https://nvd.nist.gov/vuln/detail/CVE-2017-0903
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2017-0903
cvssv3.1 9.8 https://usn.ubuntu.com/3553-1
generic_textual CRITICAL https://usn.ubuntu.com/3553-1
cvssv3.1 9.8 https://usn.ubuntu.com/3685-1
generic_textual CRITICAL https://usn.ubuntu.com/3685-1
cvssv3.1 9.8 https://web.archive.org/web/20200227143351/http://www.securityfocus.com/bid/101275
generic_textual CRITICAL https://web.archive.org/web/20200227143351/http://www.securityfocus.com/bid/101275
cvssv3.1 9.8 https://www.debian.org/security/2017/dsa-4031
generic_textual CRITICAL https://www.debian.org/security/2017/dsa-4031
Reference id Reference type URL
http://blog.rubygems.org/2017/10/09/2.6.14-released.html
http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
https://access.redhat.com/errata/RHSA-2017:3485
https://access.redhat.com/errata/RHSA-2018:0378
https://access.redhat.com/errata/RHSA-2018:0583
https://access.redhat.com/errata/RHSA-2018:0585
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-0903.json
https://api.first.org/data/v1/epss?cve=CVE-2017-0903
https://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0898
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0903
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10784
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14033
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/rubygems/rubygems
https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49
https://hackerone.com/reports/274990
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
https://nvd.nist.gov/vuln/detail/CVE-2017-0903
https://usn.ubuntu.com/3553-1
https://usn.ubuntu.com/3685-1
https://web.archive.org/web/20200227143351/http://www.securityfocus.com/bid/101275
https://www.debian.org/security/2017/dsa-4031
http://www.securityfocus.com/bid/101275
1500488 https://bugzilla.redhat.com/show_bug.cgi?id=1500488
879231 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879231
GHSA-mqwr-4qf2-2hcv https://github.com/advisories/GHSA-mqwr-4qf2-2hcv
USN-3553-1 https://usn.ubuntu.com/3553-1/
USN-3685-1 https://usn.ubuntu.com/3685-1/
USN-3685-2 https://usn.ubuntu.com/3685-2/
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://blog.rubygems.org/2017/10/09/2.6.14-released.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/errata/RHSA-2017:3485
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/errata/RHSA-2018:0378
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/errata/RHSA-2018:0583
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/errata/RHSA-2018:0585
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-0903.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/rubygems/rubygems
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://hackerone.com/reports/274990
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2017-0903
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://usn.ubuntu.com/3553-1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://usn.ubuntu.com/3685-1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://web.archive.org/web/20200227143351/http://www.securityfocus.com/bid/101275
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.debian.org/security/2017/dsa-4031
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.89116
EPSS Score 0.04901
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:13:51.696238+00:00 Ubuntu USN Importer Import https://usn.ubuntu.com/3685-2/ 36.1.3