CVE-2017-0902
31.08.2017, 20:29
RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.Enginsight
| Vendor | Product | Version |
|---|---|---|
| rubygems | rubygems | 𝑥 ≤ 2.6.12 |
| debian | debian_linux | 8.0 |
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 16.04 |
| canonical | ubuntu_linux | 17.10 |
| redhat | enterprise_linux_desktop | 7.0 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_server_aus | 7.4 |
| redhat | enterprise_linux_server_aus | 7.6 |
| redhat | enterprise_linux_server_eus | 7.4 |
| redhat | enterprise_linux_server_eus | 7.5 |
| redhat | enterprise_linux_server_eus | 7.6 |
| redhat | enterprise_linux_server_tus | 7.4 |
| redhat | enterprise_linux_server_tus | 7.6 |
| redhat | enterprise_linux_workstation | 7.0 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Ubuntu Product | |||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| jruby |
| ||||||||||||||||||||||||||||||||||
| ruby1.9.1 |
| ||||||||||||||||||||||||||||||||||
| ruby2.0 |
| ||||||||||||||||||||||||||||||||||
| ruby2.3 |
|
Common Weakness Enumeration
- CWE-350 - Reliance on Reverse DNS Resolution for a Security-Critical ActionThe software performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.
- CWE-346 - Origin Validation ErrorThe software does not properly verify that the source of data or communication is valid.
References