{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "dateAssigned": "2018-02-18T00:00:00", "datePublic": "2018-03-13T00:00:00", "descriptions": [{"lang": "en", "value": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop.. This vulnerability appears to have been fixed in 2.7.6."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-03-03T18:06:15", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "DSA-4219", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2018/dsa-4219"}, {"name": "USN-3621-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/3621-1/"}, {"name": "RHSA-2018:3729", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:3729"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/rubygems/rubygems/commit/92e98bf8f810bd812f919120d4832df51bc25d83"}, {"name": "RHSA-2018:3730", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:3730"}, {"name": "[debian-lts-announce] 20180423 [SECURITY] [DLA 1358-1] ruby1.9.1 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html"}, {"name": "RHSA-2018:3731", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:3731"}, {"name": "[debian-lts-announce] 20180402 [SECURITY] [DLA 1337-1] jruby security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00001.html"}, {"name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"}, {"name": "DSA-4259", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2018/dsa-4259"}, {"tags": ["x_refsource_MISC"], "url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html"}, {"name": "[debian-lts-announce] 20180401 [SECURITY] [DLA 1336-1] rubygems security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00000.html"}, {"name": "[debian-lts-announce] 20190520 [SECURITY] [DLA 1796-1] jruby security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html"}, {"name": "openSUSE-SU-2019:1771", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"}, {"name": "RHSA-2019:2028", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:2028"}, {"name": "RHSA-2020:0542", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2020:0542"}, {"name": "RHSA-2020:0591", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2020:0591"}, {"name": "RHSA-2020:0663", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2020:0663"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "DATE_ASSIGNED": "2/18/2018 8:01:41", "ID": "CVE-2018-1000075", "REQUESTER": "craig.ingram@salesforce.com", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop.. This vulnerability appears to have been fixed in 2.7.6."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "DSA-4219", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2018/dsa-4219"}, {"name": "USN-3621-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3621-1/"}, {"name": "RHSA-2018:3729", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:3729"}, {"name": "https://github.com/rubygems/rubygems/commit/92e98bf8f810bd812f919120d4832df51bc25d83", "refsource": "MISC", "url": "https://github.com/rubygems/rubygems/commit/92e98bf8f810bd812f919120d4832df51bc25d83"}, {"name": "RHSA-2018:3730", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:3730"}, {"name": "[debian-lts-announce] 20180423 [SECURITY] [DLA 1358-1] ruby1.9.1 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html"}, {"name": "RHSA-2018:3731", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:3731"}, {"name": "[debian-lts-announce] 20180402 [SECURITY] [DLA 1337-1] jruby security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00001.html"}, {"name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"}, {"name": "DSA-4259", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2018/dsa-4259"}, {"name": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html", "refsource": "MISC", "url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html"}, {"name": "[debian-lts-announce] 20180401 [SECURITY] [DLA 1336-1] rubygems security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00000.html"}, {"name": "[debian-lts-announce] 20190520 [SECURITY] [DLA 1796-1] jruby security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html"}, {"name": "openSUSE-SU-2019:1771", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"}, {"name": "RHSA-2019:2028", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:2028"}, {"name": "RHSA-2020:0542", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0542"}, {"name": "RHSA-2020:0591", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0591"}, {"name": "RHSA-2020:0663", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0663"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-1000075", "datePublished": "2018-03-13T15:00:00", "dateReserved": "2018-02-21T00:00:00", "dateUpdated": "2020-03-03T18:06:15", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*", "matchCriteriaId": "BEE89FF0-0079-4DF5-ACFC-E1B5415E54F4", "versionEndIncluding": "2.2.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*", "matchCriteriaId": "8080FB82-5445-4A17-9ECB-806991906E80", "versionEndIncluding": "2.3.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*", "matchCriteriaId": "CCBC38C5-781E-4998-877D-42265F1DBD05", "versionEndIncluding": "2.4.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*", "matchCriteriaId": "6ACE6376-2E27-4F56-9315-03367963DB09", "versionEndIncluding": "2.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop.. This vulnerability appears to have been fixed in 2.7.6."}, {"lang": "es", "value": "Las versiones de RubyGems de la serie Ruby 2.2: 2.2.9 y anteriores, de la serie Ruby 2.3: 2.3.6 y anteriores, de la serie Ruby 2.4: 2.4.3 y anteriores, y de la serie Ruby 2.5: versiones 2.5.0 y anteriores, anteriores a la revisi\u00f3n del trunk 62422 contiene un bucle infinito provocado por una vulnerabilidad de tama\u00f1o negativo en la cabecera tar del paquete de ruby gem que puede resultar en un tama\u00f1o negativo que desemboque en un bucle infinito. La vulnerabilidad parece haber sido solucionada en la versi\u00f3n 2.7.6."}], "id": "CVE-2018-1000075", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-03-13T15:29:00.550", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html"}, {"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2018:3729"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2018:3730"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2018:3731"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2019:2028"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2020:0542"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2020:0591"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2020:0663"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/rubygems/rubygems/commit/92e98bf8f810bd812f919120d4832df51bc25d83"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00000.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00001.html"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html"}, {"source": "cve@mitre.org", "url": "https://usn.ubuntu.com/3621-1/"}, {"source": "cve@mitre.org", "url": "https://www.debian.org/security/2018/dsa-4219"}, {"source": "cve@mitre.org", "url": "https://www.debian.org/security/2018/dsa-4259"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-835"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}