CVE-2018-1000076

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.. This vulnerability appears to have been fixed in 2.7.6.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 76%
Affected Products (NVD)
VendorProductVersion
rubygemsrubygems
𝑥
≤ 2.2.9
rubygemsrubygems
𝑥
≤ 2.3.6
rubygemsrubygems
𝑥
≤ 2.4.3
rubygemsrubygems
𝑥
≤ 2.5.0
debiandebian_linux
7.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
jruby
bookworm
9.3.9.0+ds-8
fixed
sid
9.4.8.0+ds-1
fixed
trixie
9.4.8.0+ds-1
fixed
rubygems
bookworm
3.3.15-2
fixed
bullseye
3.2.5-2
fixed
sid
3.4.20-1
fixed
trixie
3.4.20-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
jruby
artful
ignored
bionic
needs-triage
cosmic
ignored
disco
not-affected
eoan
not-affected
focal
not-affected
groovy
not-affected
hirsute
not-affected
impish
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
Fixed 1.5.6-9+deb8u2build0.14.04.1~esm2
released
xenial
needs-triage
ruby1.9.1
artful
dne
bionic
dne
cosmic
dne
disco
dne
eoan
dne
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
kinetic
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
dne
ruby2.0
artful
dne
bionic
dne
cosmic
dne
disco
dne
eoan
dne
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
kinetic
dne
lunar
dne
mantic
dne
noble
dne
trusty
Fixed 2.0.0.484-1ubuntu2.6
released
xenial
dne
ruby2.1
artful
dne
bionic
dne
cosmic
dne
disco
dne
eoan
dne
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
kinetic
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
dne
ruby2.3
artful
Fixed 2.3.3-1ubuntu1.4
released
bionic
dne
cosmic
dne
disco
dne
eoan
dne
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
kinetic
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
Fixed 2.3.1-2~16.04.7
released
ruby2.5
artful
dne
bionic
Fixed 2.5.1-1
released
cosmic
Fixed 2.5.1-1
released
disco
Fixed 2.5.1-1
released
eoan
Fixed 2.5.1-1
released
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
kinetic
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
dne
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libruby2_1-2_1
suse enterprise sap 12 SP4
2.1.9-19.3.2
fixed
suse enterprise sap 12 SP5
2.1.9-19.3.2
fixed
suse enterprise server 12 SP2
2.1.9-19.3.2
fixed
suse enterprise server 12 SP3
2.1.9-19.3.2
fixed
suse enterprise server 12 SP5
2.1.9-19.3.2
fixed
libruby2_5-2_5
suse enterprise desktop 15
2.5.5-4.3.1
fixed
suse enterprise desktop 15 SP1
2.5.5-4.3.1
fixed
suse enterprise desktop 15 SP2
2.5.5-4.3.1
fixed
suse enterprise desktop 15 SP3
2.5.5-4.3.1
fixed
suse enterprise desktop 15 SP4
2.5.5-4.3.1
fixed
suse enterprise desktop 15 SP5
2.5.5-4.3.1
fixed
suse enterprise desktop 15 SP6
2.5.5-4.3.1
fixed
suse enterprise desktop 15 SP7
2.5.9-150700.22.16
fixed
suse enterprise sap 15
2.5.5-4.3.1
fixed
suse enterprise sap 15 SP1
2.5.5-4.3.1
fixed
suse enterprise sap 15 SP2
2.5.5-4.3.1
fixed
suse enterprise sap 15 SP3
2.5.5-4.3.1
fixed
suse enterprise sap 15 SP4
2.5.5-4.3.1
fixed
suse enterprise sap 15 SP5
2.5.5-4.3.1
fixed
suse enterprise sap 15 SP6
2.5.5-4.3.1
fixed
suse enterprise sap 15 SP7
2.5.9-150700.22.16
fixed
suse enterprise server 15
2.5.5-4.3.1
fixed
suse enterprise server 15 SP1
2.5.5-4.3.1
fixed
suse enterprise server 15 SP2
2.5.5-4.3.1
fixed
suse enterprise server 15 SP3
2.5.5-4.3.1
fixed
suse enterprise server 15 SP4
2.5.5-4.3.1
fixed
suse enterprise server 15 SP5
2.5.5-4.3.1
fixed
suse enterprise server 15 SP6
2.5.5-4.3.1
fixed
suse enterprise server 15 SP7
2.5.9-150700.22.16
fixed
yast2-ruby-bindings
suse enterprise server 12 SP2
3.1.53-9.8.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
ruby
RHEL 7
0:2.0.0.648-36.el7
fixed
ruby-devel
RHEL 7
0:2.0.0.648-36.el7
fixed
ruby-doc
RHEL 7
0:2.0.0.648-36.el7
fixed
ruby-irb
RHEL 7
0:2.0.0.648-36.el7
fixed
ruby-libs
RHEL 7
0:2.0.0.648-36.el7
fixed
ruby-tcltk
RHEL 7
0:2.0.0.648-36.el7
fixed
rubygem-bigdecimal
RHEL 7
0:1.2.0-36.el7
fixed
rubygem-io-console
RHEL 7
0:0.4.2-36.el7
fixed
rubygem-json
RHEL 7
0:1.7.7-36.el7
fixed
rubygem-minitest
RHEL 7
0:4.3.2-36.el7
fixed
rubygem-psych
RHEL 7
0:2.0.0-36.el7
fixed
rubygem-rake
RHEL 7
0:0.9.6-36.el7
fixed
rubygem-rdoc
RHEL 7
0:4.0.0-36.el7
fixed
rubygems
RHEL 7
0:2.0.14.1-36.el7
fixed
rubygems-devel
RHEL 7
0:2.0.14.1-36.el7
fixed
Common Weakness Enumeration
References
http://blog.rubygems.org/2018/02/15/2.7.6-released.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
https://access.redhat.com/errata/RHSA-2018:3729
https://access.redhat.com/errata/RHSA-2018:3730
https://access.redhat.com/errata/RHSA-2018:3731
https://access.redhat.com/errata/RHSA-2019:2028
https://access.redhat.com/errata/RHSA-2020:0542
https://access.redhat.com/errata/RHSA-2020:0591
https://access.redhat.com/errata/RHSA-2020:0663
https://github.com/rubygems/rubygems/commit/f5042b879259b1f1ce95a0c5082622c646376693
https://lists.debian.org/debian-lts-announce/2018/04/msg00000.html
https://lists.debian.org/debian-lts-announce/2018/04/msg00001.html
https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html
https://usn.ubuntu.com/3621-1/
https://www.debian.org/security/2018/dsa-4219
https://www.debian.org/security/2018/dsa-4259
http://blog.rubygems.org/2018/02/15/2.7.6-released.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
https://access.redhat.com/errata/RHSA-2018:3729
https://access.redhat.com/errata/RHSA-2018:3730
https://access.redhat.com/errata/RHSA-2018:3731
https://access.redhat.com/errata/RHSA-2019:2028
https://access.redhat.com/errata/RHSA-2020:0542
https://access.redhat.com/errata/RHSA-2020:0591
https://access.redhat.com/errata/RHSA-2020:0663
https://github.com/rubygems/rubygems/commit/f5042b879259b1f1ce95a0c5082622c646376693
https://lists.debian.org/debian-lts-announce/2018/04/msg00000.html
https://lists.debian.org/debian-lts-announce/2018/04/msg00001.html
https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html
https://usn.ubuntu.com/3621-1/
https://www.debian.org/security/2018/dsa-4219
https://www.debian.org/security/2018/dsa-4259