CVE-2018-1000074
- Source
- https://cve.org/CVERecord?id=CVE-2018-1000074
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1000074.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2018-1000074
- Aliases
- Downstream
- Related
- Published
- 2018-03-13T15:29:00.487Z
- Modified
- 2026-03-15T22:19:17.010682Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the
gem ownercommand on a gem with a specially crafted YAML file. This vulnerability appears to have been fixed in 2.7.6. - References
-
- https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html
- https://usn.ubuntu.com/3621-1/
- https://usn.ubuntu.com/3685-1/
- https://usn.ubuntu.com/3621-2/
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
- https://lists.debian.org/debian-lts-announce/2018/04/msg00017.html
- https://lists.debian.org/debian-lts-announce/2018/08/msg00028.html
- https://access.redhat.com/errata/RHSA-2019:2028
- https://access.redhat.com/errata/RHSA-2020:0663
- http://blog.rubygems.org/2018/02/15/2.7.6-released.html
- https://access.redhat.com/errata/RHSA-2018:3730
- https://www.debian.org/security/2018/dsa-4219
- https://access.redhat.com/errata/RHSA-2018:3729
- https://access.redhat.com/errata/RHSA-2020:0542
- https://access.redhat.com/errata/RHSA-2020:0591
- https://www.debian.org/security/2018/dsa-4259
- https://access.redhat.com/errata/RHSA-2018:3731
- https://github.com/rubygems/rubygems/commit/254e3d0ee873c008c0b74e8b8abcbdab4caa0a6d
Affected packages
Git / github.com/ruby/rubygems
Affected ranges
- Type
- GIT
- Repo
- https://github.com/ruby/rubygems
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- GIT
- Repo
- https://github.com/rubygems/rubygems
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Database specific
{ "versions": [ { "introduced": "0" }, { "last_affected": "2.2.9" }, { "introduced": "0" }, { "last_affected": "2.3.6" }, { "introduced": "0" }, { "last_affected": "2.4.3" }, { "introduced": "0" }, { "last_affected": "2.5.0" } ] }
Affected versions
bundler-v2.*
bundler-v2.2.0
bundler-v2.2.0.rc.1
bundler-v2.2.0.rc.2
bundler-v2.2.1
bundler-v2.2.2
bundler-v2.2.3
bundler-v2.2.4
bundler-v2.2.5
bundler-v2.2.6
bundler-v2.2.7
bundler-v2.2.8
bundler-v2.2.9
bundler-v2.3.0
bundler-v2.3.1
bundler-v2.3.2
bundler-v2.3.3
bundler-v2.3.4
bundler-v2.3.5
bundler-v2.3.6
v1.*
v1.5.0
v1.5.1
v1.5.2
v1.6.0
v1.6.1
v1.6.2
v1.7.0
v1.7.1
v1.8.0
v1.8.1
v1.8.2
v2.*
v2.0.0
v2.0.0.preview2
v2.0.0.preview2.1
v2.0.0.preview2.2
v2.0.0.rc.1
v2.0.0.rc.2
v2.0.1
v2.0.2
v2.0.3
v2.1.0
v2.1.0.rc.1
v2.1.0.rc.2
v2.1.1
v2.1.2
v2.1.3
v2.2.0.preview.1
v2.2.0.rc.1
v2.2.1
v2.3.0
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.5.0
v2.5.1
v2.5.2
v2.6.0
v2.6.1
v2.6.10
v2.6.11
v2.6.12
v2.6.13
v2.6.14
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.6.7
v2.6.8
v2.6.9
v2.7.0
v2.7.1
v2.7.10
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9
v3.*
v3.0.0
v3.0.0.beta1
v3.0.0.beta3
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.1.0.pre1
v3.2.0
v3.2.0.rc.1
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6