GHSA-qj2w-mw2r-pv39
- Source
- https://github.com/advisories/GHSA-qj2w-mw2r-pv39
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qj2w-mw2r-pv39/GHSA-qj2w-mw2r-pv39.json
- Aliases
- Published
- 2022-05-14T01:01:12Z
- Modified
- 2024-03-12T05:19:01.294475Z
- Summary
- RubyGems Deserialization of Untrusted Data vulnerability
- Details
-
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack requires the victim to run the
gem ownercommand on a gem with a specially crafted YAML file. This vulnerability is fixed in 2.7.6. - References
-
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000074
- https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7
- https://github.com/rubygems/rubygems/commit/254e3d0ee873c008c0b74e8b8abcbdab4caa0a6d
- https://github.com/rubygems/rubygems/commit/5971b486d4dbb2bad5d3445b3801c456eb0ce183
- https://www.debian.org/security/2018/dsa-4259
- https://www.debian.org/security/2018/dsa-4219
- https://usn.ubuntu.com/3685-1
- https://usn.ubuntu.com/3621-2
- https://usn.ubuntu.com/3621-1
- https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html
- https://lists.debian.org/debian-lts-announce/2018/08/msg00028.html
- https://lists.debian.org/debian-lts-announce/2018/04/msg00017.html
- https://access.redhat.com/errata/RHSA-2020:0663
- https://access.redhat.com/errata/RHSA-2020:0591
- https://access.redhat.com/errata/RHSA-2020:0542
- https://access.redhat.com/errata/RHSA-2019:2028
- https://access.redhat.com/errata/RHSA-2018:3731
- https://access.redhat.com/errata/RHSA-2018:3730
- https://access.redhat.com/errata/RHSA-2018:3729
- http://blog.rubygems.org/2018/02/15/2.7.6-released.html
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
Affected packages
RubyGems / rubygems-update
Package
- Name
- rubygems-update
Affected versions
0.*
0.8.3
0.8.4
0.8.5
0.8.6
0.8.8
0.8.10
0.8.11
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
1.*
1.0.0
1.0.1
1.1.0
1.1.1
1.2.0
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.4.0
1.4.1
1.4.2
1.5.0
1.5.2
1.5.3
1.6.0
1.6.1
1.6.2
1.7.0
1.7.1
1.7.2
1.8.0
1.8.1
1.8.2
1.8.3
1.8.4
1.8.5
1.8.6
1.8.7
1.8.8
1.8.9
1.8.10
1.8.11
1.8.12
1.8.13
1.8.14
1.8.15
1.8.16
1.8.17
1.8.18
1.8.19
1.8.20
1.8.21
1.8.22
1.8.23
1.8.23.2
1.8.24
1.8.25
1.8.26
1.8.27
1.8.28
1.8.29
1.8.30
2.*
2.0.0.preview2
2.0.0.preview2.1
2.0.0.preview2.2
2.0.0.rc.1
2.0.0.rc.2
2.0.0
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.0.15
2.0.16
2.0.17
2.1.0.rc.1
2.1.0.rc.2
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10
2.1.11
2.2.0.rc.1
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.3.0
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
2.4.8
2.5.0
2.5.1
2.5.2
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.8
2.6.9
2.6.10
2.6.11
2.6.12
2.6.13
2.6.14
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4.pre1
2.7.4
2.7.5
Maven / org.jruby:jruby-stdlib
Package
- Name
- org.jruby:jruby-stdlib
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0The exact introduced commit is unknownFixed9.1.16.0
Affected versions
1.*
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.5.1
1.6.6
1.6.7
1.6.7.1
1.6.7.2
1.6.8
1.7.0.RC1
1.7.0.RC2
1.7.0
1.7.0.preview1
1.7.0.preview2
1.7.1
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6
1.7.7
1.7.8
1.7.9
1.7.10
1.7.11
1.7.12
1.7.13
1.7.14
1.7.15
1.7.16
1.7.16.1
1.7.16.2
1.7.17
1.7.18
1.7.19
1.7.20
1.7.20.1
1.7.21
1.7.22
1.7.23
1.7.24
1.7.25
1.7.26
1.7.27
9.*
9.0.0.0.rc1
9.0.0.0.rc2
9.0.0.0
9.0.0.0.pre1
9.0.0.0.pre2
9.0.1.0
9.0.2.0
9.0.3.0
9.0.4.0
9.0.5.0
9.1.0.0
9.1.1.0
9.1.2.0
9.1.3.0
9.1.4.0
9.1.5.0
9.1.6.0
9.1.7.0
9.1.8.0
9.1.9.0
9.1.10.0
9.1.11.0
9.1.12.0
9.1.13.0
9.1.14.0
9.1.15.0