CVE-2017-0903
11.10.2017, 18:29
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| rubygems | rubygems | 2.0.0 |
| rubygems | rubygems | 2.0.0:preview2 |
| rubygems | rubygems | 2.0.0:preview2.1 |
| rubygems | rubygems | 2.0.0:preview2.2 |
| rubygems | rubygems | 2.0.0:rc1 |
| rubygems | rubygems | 2.0.0:rc2 |
| rubygems | rubygems | 2.0.1 |
| rubygems | rubygems | 2.0.2 |
| rubygems | rubygems | 2.0.3 |
| rubygems | rubygems | 2.0.4 |
| rubygems | rubygems | 2.0.5 |
| rubygems | rubygems | 2.0.6 |
| rubygems | rubygems | 2.0.7 |
| rubygems | rubygems | 2.0.8 |
| rubygems | rubygems | 2.0.9 |
| rubygems | rubygems | 2.0.10 |
| rubygems | rubygems | 2.0.11 |
| rubygems | rubygems | 2.0.12 |
| rubygems | rubygems | 2.0.13 |
| rubygems | rubygems | 2.0.14 |
| rubygems | rubygems | 2.0.15 |
| rubygems | rubygems | 2.0.16 |
| rubygems | rubygems | 2.0.17 |
| rubygems | rubygems | 2.1.0 |
| rubygems | rubygems | 2.1.0.rc.1:rc.1 |
| rubygems | rubygems | 2.1.0.rc.2:rc.2 |
| rubygems | rubygems | 2.1.1 |
| rubygems | rubygems | 2.1.2 |
| rubygems | rubygems | 2.1.3 |
| rubygems | rubygems | 2.1.4 |
| rubygems | rubygems | 2.1.5 |
| rubygems | rubygems | 2.1.6 |
| rubygems | rubygems | 2.1.7 |
| rubygems | rubygems | 2.1.8 |
| rubygems | rubygems | 2.1.9 |
| rubygems | rubygems | 2.1.10 |
| rubygems | rubygems | 2.1.11 |
| rubygems | rubygems | 2.2.0 |
| rubygems | rubygems | 2.2.0.preiew.1:preiew.1 |
| rubygems | rubygems | 2.2.0.rc.1:rc.1 |
| rubygems | rubygems | 2.2.1 |
| rubygems | rubygems | 2.2.2 |
| rubygems | rubygems | 2.2.3 |
| rubygems | rubygems | 2.2.4 |
| rubygems | rubygems | 2.2.5 |
| rubygems | rubygems | 2.3.0 |
| rubygems | rubygems | 2.4.0 |
| rubygems | rubygems | 2.4.1 |
| rubygems | rubygems | 2.4.2 |
| rubygems | rubygems | 2.4.3 |
| rubygems | rubygems | 2.4.4 |
| rubygems | rubygems | 2.4.5 |
| rubygems | rubygems | 2.4.6 |
| rubygems | rubygems | 2.4.7 |
| rubygems | rubygems | 2.4.8 |
| rubygems | rubygems | 2.5.0 |
| rubygems | rubygems | 2.5.1 |
| rubygems | rubygems | 2.5.2 |
| rubygems | rubygems | 2.6.0 |
| rubygems | rubygems | 2.6.1 |
| rubygems | rubygems | 2.6.2 |
| rubygems | rubygems | 2.6.3 |
| rubygems | rubygems | 2.6.4 |
| rubygems | rubygems | 2.6.5 |
| rubygems | rubygems | 2.6.6 |
| rubygems | rubygems | 2.6.7 |
| rubygems | rubygems | 2.6.8 |
| rubygems | rubygems | 2.6.9 |
| rubygems | rubygems | 2.6.10 |
| rubygems | rubygems | 2.6.11 |
| rubygems | rubygems | 2.6.12 |
| rubygems | rubygems | 2.6.13 |
| debian | debian_linux | 8.0 |
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 16.04 |
| canonical | ubuntu_linux | 17.10 |
| redhat | enterprise_linux_desktop | 7.0 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_server_aus | 7.4 |
| redhat | enterprise_linux_server_aus | 7.6 |
| redhat | enterprise_linux_server_eus | 7.4 |
| redhat | enterprise_linux_server_eus | 7.5 |
| redhat | enterprise_linux_server_eus | 7.6 |
| redhat | enterprise_linux_server_tus | 7.4 |
| redhat | enterprise_linux_server_tus | 7.6 |
| redhat | enterprise_linux_workstation | 7.0 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Ubuntu Product | |||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| jruby |
| ||||||||||||||||||||||||||||||||||
| ruby1.9.1 |
| ||||||||||||||||||||||||||||||||||
| ruby2.0 |
| ||||||||||||||||||||||||||||||||||
| ruby2.3 |
|
openSUSE / SLES Releases
openSUSE Product | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| libruby2_1-2_1 |
| ||||||||||||
| yast2-ruby-bindings |
|
Red Hat Enterprise Linux Releases
Red Hat Product | |||
|---|---|---|---|
| ruby |
| ||
| ruby-devel |
| ||
| ruby-doc |
| ||
| ruby-irb |
| ||
| ruby-libs |
| ||
| ruby-tcltk |
| ||
| rubygem-bigdecimal |
| ||
| rubygem-io-console |
| ||
| rubygem-json |
| ||
| rubygem-minitest |
| ||
| rubygem-psych |
| ||
| rubygem-rake |
| ||
| rubygem-rdoc |
| ||
| rubygems |
| ||
| rubygems-devel |
|
Amazon Linux Releases
Amazon Package | |||
|---|---|---|---|
| ruby22 |
| ||
| ruby22-debuginfo |
| ||
| ruby22-devel |
| ||
| ruby22-doc |
| ||
| ruby22-irb |
| ||
| ruby22-libs |
| ||
| ruby23 |
| ||
| ruby23-debuginfo |
| ||
| ruby23-devel |
| ||
| ruby23-doc |
| ||
| ruby23-irb |
| ||
| ruby23-libs |
| ||
| ruby24 |
| ||
| ruby24-debuginfo |
| ||
| ruby24-devel |
| ||
| ruby24-doc |
| ||
| ruby24-irb |
| ||
| ruby24-libs |
| ||
| rubygem22-bigdecimal |
| ||
| rubygem22-io-console |
| ||
| rubygem22-psych |
| ||
| rubygem23-bigdecimal |
| ||
| rubygem23-did_you_mean |
| ||
| rubygem23-io-console |
| ||
| rubygem23-json |
| ||
| rubygem23-psych |
| ||
| rubygem24-bigdecimal |
| ||
| rubygem24-did_you_mean |
| ||
| rubygem24-io-console |
| ||
| rubygem24-json |
| ||
| rubygem24-psych |
| ||
| rubygem24-xmlrpc |
| ||
| rubygems22 |
| ||
| rubygems22-devel |
| ||
| rubygems23 |
| ||
| rubygems23-devel |
| ||
| rubygems24 |
| ||
| rubygems24-devel |
|
Common Weakness Enumeration
References