CVE-2017-0903 - OpenCVE

RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Rubygems	Rubygems
Redhat	Enterprise Linux Server Eus Enterprise Linux Server Aus Enterprise Linux Server Tus Enterprise Linux Desktop Enterprise Linux Workstation Enterprise Linux Server
Canonical	Ubuntu Linux
Debian	Debian Linux

Configuration 1 [-]

OR	cpe:2.3:a:rubygems:rubygems:2.0.0:::::::*
	cpe:2.3:a:rubygems:rubygems:2.0.0:preview2::::::
	cpe:2.3:a:rubygems:rubygems:2.0.0:preview2.1::::::
	cpe:2.3:a:rubygems:rubygems:2.0.0:preview2.2::::::
	cpe:2.3:a:rubygems:rubygems:2.0.0:rc1::::::
	cpe:2.3:a:rubygems:rubygems:2.0.0:rc2::::::
	cpe:2.3:a:rubygems:rubygems:2.0.1:::::::*
	cpe:2.3:a:rubygems:rubygems:2.0.2:::::::*
	cpe:2.3:a:rubygems:rubygems:2.0.3:::::::*
	cpe:2.3:a:rubygems:rubygems:2.0.4:::::::*
	cpe:2.3:a:rubygems:rubygems:2.0.5:::::::*
	cpe:2.3:a:rubygems:rubygems:2.0.6:::::::*
	cpe:2.3:a:rubygems:rubygems:2.0.7:::::::*
	cpe:2.3:a:rubygems:rubygems:2.0.8:::::::*
	cpe:2.3:a:rubygems:rubygems:2.0.9:::::::*
	cpe:2.3:a:rubygems:rubygems:2.0.10:::::::*
	cpe:2.3:a:rubygems:rubygems:2.0.11:::::::*
	cpe:2.3:a:rubygems:rubygems:2.0.12:::::::*
	cpe:2.3:a:rubygems:rubygems:2.0.13:::::::*
	cpe:2.3:a:rubygems:rubygems:2.0.14:::::::*
	cpe:2.3:a:rubygems:rubygems:2.0.15:::::::*
	cpe:2.3:a:rubygems:rubygems:2.0.16:::::::*
	cpe:2.3:a:rubygems:rubygems:2.0.17:::::::*
	cpe:2.3:a:rubygems:rubygems:2.1.0:::::::*
	cpe:2.3:a:rubygems:rubygems:2.1.0.rc.1:::::::*
	cpe:2.3:a:rubygems:rubygems:2.1.0.rc.2:::::::*
	cpe:2.3:a:rubygems:rubygems:2.1.1:::::::*
	cpe:2.3:a:rubygems:rubygems:2.1.2:::::::*
	cpe:2.3:a:rubygems:rubygems:2.1.3:::::::*
	cpe:2.3:a:rubygems:rubygems:2.1.4:::::::*
	cpe:2.3:a:rubygems:rubygems:2.1.5:::::::*
	cpe:2.3:a:rubygems:rubygems:2.1.6:::::::*
	cpe:2.3:a:rubygems:rubygems:2.1.7:::::::*
	cpe:2.3:a:rubygems:rubygems:2.1.8:::::::*
	cpe:2.3:a:rubygems:rubygems:2.1.9:::::::*
	cpe:2.3:a:rubygems:rubygems:2.1.10:::::::*
	cpe:2.3:a:rubygems:rubygems:2.1.11:::::::*
	cpe:2.3:a:rubygems:rubygems:2.2.0:::::::*
	cpe:2.3:a:rubygems:rubygems:2.2.0.preiew.1:::::::*
	cpe:2.3:a:rubygems:rubygems:2.2.0.rc.1:::::::*
	cpe:2.3:a:rubygems:rubygems:2.2.1:::::::*
	cpe:2.3:a:rubygems:rubygems:2.2.2:::::::*
	cpe:2.3:a:rubygems:rubygems:2.2.3:::::::*
	cpe:2.3:a:rubygems:rubygems:2.2.4:::::::*
	cpe:2.3:a:rubygems:rubygems:2.2.5:::::::*
	cpe:2.3:a:rubygems:rubygems:2.3.0:::::::*
	cpe:2.3:a:rubygems:rubygems:2.4.0:::::::*
	cpe:2.3:a:rubygems:rubygems:2.4.1:::::::*
	cpe:2.3:a:rubygems:rubygems:2.4.2:::::::*
	cpe:2.3:a:rubygems:rubygems:2.4.3:::::::*
	cpe:2.3:a:rubygems:rubygems:2.4.4:::::::*
	cpe:2.3:a:rubygems:rubygems:2.4.5:::::::*
	cpe:2.3:a:rubygems:rubygems:2.4.6:::::::*
	cpe:2.3:a:rubygems:rubygems:2.4.7:::::::*
	cpe:2.3:a:rubygems:rubygems:2.4.8:::::::*
	cpe:2.3:a:rubygems:rubygems:2.5.0:::::::*
	cpe:2.3:a:rubygems:rubygems:2.5.1:::::::*
	cpe:2.3:a:rubygems:rubygems:2.5.2:::::::*
	cpe:2.3:a:rubygems:rubygems:2.6.0:::::::*
	cpe:2.3:a:rubygems:rubygems:2.6.1:::::::*
	cpe:2.3:a:rubygems:rubygems:2.6.2:::::::*
	cpe:2.3:a:rubygems:rubygems:2.6.3:::::::*
	cpe:2.3:a:rubygems:rubygems:2.6.4:::::::*
	cpe:2.3:a:rubygems:rubygems:2.6.5:::::::*
cpe:2.3:a:rubygems:rubygems:2.6.6:::::::*
cpe:2.3:a:rubygems:rubygems:2.6.7:::::::*
cpe:2.3:a:rubygems:rubygems:2.6.8:::::::*
cpe:2.3:a:rubygems:rubygems:2.6.9:::::::*
cpe:2.3:a:rubygems:rubygems:2.6.10:::::::*
cpe:2.3:a:rubygems:rubygems:2.6.11:::::::*
cpe:2.3:a:rubygems:rubygems:2.6.12:::::::*
cpe:2.3:a:rubygems:rubygems:2.6.13:::::::*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*

Configuration 3 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:17.10:::::::*

Configuration 4 [-]

OR	cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*

References

Link	Resource
http://blog.rubygems.org/2017/10/09/2.6.14-released.html	Vendor Advisory
http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html	Vendor Advisory
http://www.securityfocus.com/bid/101275	Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2017:3485	Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0378	Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0583	Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0585	Third Party Advisory
https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49	Patch Third Party Advisory
https://hackerone.com/reports/274990	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html	Mailing List Third Party Advisory
https://usn.ubuntu.com/3553-1/	Third Party Advisory
https://usn.ubuntu.com/3685-1/	Third Party Advisory
https://www.debian.org/security/2017/dsa-4031	Third Party Advisory