CVE-2018-1000074

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the gem owner command on a gem with a specially crafted YAML file. This vulnerability appears to have been fixed in 2.7.6.

Published: Mar 13, 2018
Updated: May 9, 2024
CVE: CVE-2018-1000074
GHSA: GHSA-qj2w-mw2r-pv39
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.8
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-502

OWASP TOP 10:

A8 - Insecure Deserialization

Affected Software
References

Software	From	Fixed in
rubygems / rubygems	-	2.2.9.x
rubygems / rubygems	-	2.3.6.x
rubygems / rubygems	-	2.4.3.x
rubygems / rubygems	-	2.5.0.x
rubygems-update	-	2.7.6
org.jruby / jruby-stdlib	-	9.1.16.0

Vulnerability Database

289,697

CVE-2018-1000074