GHSA-7gcp-2gmq-w3xh
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7gcp-2gmq-w3xh
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7gcp-2gmq-w3xh/GHSA-7gcp-2gmq-w3xh.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-7gcp-2gmq-w3xh
- Aliases
- Published
- 2022-05-13T01:38:25Z
- Modified
- 2023-11-08T03:58:40.552021Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- RubyGems Code Injection vulnerability
- Details
-
RubyGems prior to 2.6.13 is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.
- Database specific
{ "github_reviewed_at": "2023-03-09T00:37:49Z", "github_reviewed": true, "cwe_ids": [ "CWE-150", "CWE-94" ], "nvd_published_at": "2017-08-31T20:29:00Z", "severity": "CRITICAL" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2017-0899
- https://github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1
- https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491
- https://hackerone.com/reports/226335
- https://access.redhat.com/errata/RHSA-2017:3485
- https://access.redhat.com/errata/RHSA-2018:0378
- https://access.redhat.com/errata/RHSA-2018:0583
- https://access.redhat.com/errata/RHSA-2018:0585
- https://github.com/rubygems/rubygems
- https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
- https://security.gentoo.org/glsa/201710-01
- https://web.archive.org/web/20170907215801/http://www.securitytracker.com/id/1039249
- https://web.archive.org/web/20170915000000*/http://www.securityfocus.com/bid/100576#:~:text=1%20snapshot-,11%3A49%3A33,-Note
- https://www.debian.org/security/2017/dsa-3966
- http://blog.rubygems.org/2017/08/27/2.6.13-released.html
Affected packages
RubyGems / rubygems-update
Package
- Name
- rubygems-update
- Purl
- pkg:gem/rubygems-update
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.6.13
Affected versions
0.*
0.8.3
0.8.4
0.8.5
0.8.6
0.8.8
0.8.10
0.8.11
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
1.*
1.0.0
1.0.1
1.1.0
1.1.1
1.2.0
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.4.0
1.4.1
1.4.2
1.5.0
1.5.2
1.5.3
1.6.0
1.6.1
1.6.2
1.7.0
1.7.1
1.7.2
1.8.0
1.8.1
1.8.2
1.8.3
1.8.4
1.8.5
1.8.6
1.8.7
1.8.8
1.8.9
1.8.10
1.8.11
1.8.12
1.8.13
1.8.14
1.8.15
1.8.16
1.8.17
1.8.18
1.8.19
1.8.20
1.8.21
1.8.22
1.8.23
1.8.23.2
1.8.24
1.8.25
1.8.26
1.8.27
1.8.28
1.8.29
1.8.30
2.*
2.0.0.preview2
2.0.0.preview2.1
2.0.0.preview2.2
2.0.0.rc.1
2.0.0.rc.2
2.0.0
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.0.15
2.0.16
2.0.17
2.1.0.rc.1
2.1.0.rc.2
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10
2.1.11
2.2.0.rc.1
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.3.0
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
2.4.8
2.5.0
2.5.1
2.5.2
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.8
2.6.9
2.6.10
2.6.11
2.6.12