GHSA-87qx-g5wg-mwmj
- Source
- https://github.com/advisories/GHSA-87qx-g5wg-mwmj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-87qx-g5wg-mwmj/GHSA-87qx-g5wg-mwmj.json
- Aliases
- Published
- 2022-05-14T01:01:09Z
- Modified
- 2024-03-13T05:21:28.072094Z
- Summary
- RubyGems Cross-site Scripting vulnerability
- Details
-
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack requires the victim to browse to a malicious gem on a vulnerable gem server. This vulnerability is fixed in 2.7.6.
- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000078
- https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7
- https://github.com/rubygems/rubygems/commit/5971b486d4dbb2bad5d3445b3801c456eb0ce183
- https://github.com/rubygems/rubygems/commit/66a28b9275551384fdab45f3591a82d6b59952cb
- https://www.debian.org/security/2018/dsa-4259
- https://www.debian.org/security/2018/dsa-4219
- https://usn.ubuntu.com/3621-1
- https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html
- https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
- https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
- https://lists.debian.org/debian-lts-announce/2018/04/msg00001.html
- https://lists.debian.org/debian-lts-announce/2018/04/msg00000.html
- https://access.redhat.com/errata/RHSA-2020:0663
- https://access.redhat.com/errata/RHSA-2020:0591
- https://access.redhat.com/errata/RHSA-2020:0542
- https://access.redhat.com/errata/RHSA-2019:2028
- https://access.redhat.com/errata/RHSA-2018:3731
- https://access.redhat.com/errata/RHSA-2018:3730
- https://access.redhat.com/errata/RHSA-2018:3729
- http://blog.rubygems.org/2018/02/15/2.7.6-released.html
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
Affected packages
RubyGems / rubygems-update
Package
- Name
- rubygems-update
Affected versions
0.*
0.8.3
0.8.4
0.8.5
0.8.6
0.8.8
0.8.10
0.8.11
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
1.*
1.0.0
1.0.1
1.1.0
1.1.1
1.2.0
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.4.0
1.4.1
1.4.2
1.5.0
1.5.2
1.5.3
1.6.0
1.6.1
1.6.2
1.7.0
1.7.1
1.7.2
1.8.0
1.8.1
1.8.2
1.8.3
1.8.4
1.8.5
1.8.6
1.8.7
1.8.8
1.8.9
1.8.10
1.8.11
1.8.12
1.8.13
1.8.14
1.8.15
1.8.16
1.8.17
1.8.18
1.8.19
1.8.20
1.8.21
1.8.22
1.8.23
1.8.23.2
1.8.24
1.8.25
1.8.26
1.8.27
1.8.28
1.8.29
1.8.30
2.*
2.0.0.preview2
2.0.0.preview2.1
2.0.0.preview2.2
2.0.0.rc.1
2.0.0.rc.2
2.0.0
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.0.15
2.0.16
2.0.17
2.1.0.rc.1
2.1.0.rc.2
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10
2.1.11
2.2.0.rc.1
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.3.0
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
2.4.8
2.5.0
2.5.1
2.5.2
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.8
2.6.9
2.6.10
2.6.11
2.6.12
2.6.13
2.6.14
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4.pre1
2.7.4
2.7.5
Maven / org.jruby:jruby-stdlib
Package
- Name
- org.jruby:jruby-stdlib
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0The exact introduced commit is unknownFixed9.1.16.0
Affected versions
1.*
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.5.1
1.6.6
1.6.7
1.6.7.1
1.6.7.2
1.6.8
1.7.0.RC1
1.7.0.RC2
1.7.0
1.7.0.preview1
1.7.0.preview2
1.7.1
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6
1.7.7
1.7.8
1.7.9
1.7.10
1.7.11
1.7.12
1.7.13
1.7.14
1.7.15
1.7.16
1.7.16.1
1.7.16.2
1.7.17
1.7.18
1.7.19
1.7.20
1.7.20.1
1.7.21
1.7.22
1.7.23
1.7.24
1.7.25
1.7.26
1.7.27
9.*
9.0.0.0.rc1
9.0.0.0.rc2
9.0.0.0
9.0.0.0.pre1
9.0.0.0.pre2
9.0.1.0
9.0.2.0
9.0.3.0
9.0.4.0
9.0.5.0
9.1.0.0
9.1.1.0
9.1.2.0
9.1.3.0
9.1.4.0
9.1.5.0
9.1.6.0
9.1.7.0
9.1.8.0
9.1.9.0
9.1.10.0
9.1.11.0
9.1.12.0
9.1.13.0
9.1.14.0
9.1.15.0