GHSA-mqwr-4qf2-2hcv

Source

https://github.com/advisories/GHSA-mqwr-4qf2-2hcv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-mqwr-4qf2-2hcv/GHSA-mqwr-4qf2-2hcv.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mqwr-4qf2-2hcv

Aliases

CVE-2017-0903

Published

2022-05-13T01:38:26Z

Modified

2024-02-22T05:43:12.105884Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

RubyGems vulnerable to Deserialization of Untrusted Data

Details

RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution. The issue has been patched in 2.6.14.

References

Affected packages

RubyGems / rubygems-update

Package

Name: rubygems-update
Purl: pkg:gem/rubygems-update

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.6.14

Affected versions

2.*

2.0.0

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.0.12

2.0.13

2.0.14

2.0.15

2.0.16

2.0.17

2.1.0.rc.1

2.1.0.rc.2

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

2.1.9

2.1.10

2.1.11

2.2.0.rc.1

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.3.0

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.4.6

2.4.7

2.4.8

2.5.0

2.5.1

2.5.2

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.6.7

2.6.8

2.6.9

2.6.10

2.6.11

2.6.12

2.6.13